CVE-2018-9844

MEDIUM

Iptanus WordPress File Upload < 4.3.4 - Cross-Site Scripting via Settings Attributes

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-9844. PoCs published by ManhNho.

AI-analyzed exploit summary This exploit demonstrates a Stored XSS vulnerability in WordPress File Upload plugin version 4.3.3. The PoC shows how an attacker can inject malicious JavaScript code into the 'wfu_basedir' parameter, which is then stored and executed in the admin panel.

Description

The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS.

Exploits (1)

exploitdb WORKING POC
by ManhNho · textwebappsphp
https://www.exploit-db.com/exploits/44444

This exploit demonstrates a Stored XSS vulnerability in WordPress File Upload plugin version 4.3.3. The PoC shows how an attacker can inject malicious JavaScript code into the 'wfu_basedir' parameter, which is then stored and executed in the admin panel.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress File Upload plugin 4.3.3
Auth required
Prerequisites: Admin access to WordPress panel · WordPress File Upload plugin version 4.3.3 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44444/
Third Party Advisory x_refsource_confirm
https://wordpress.org/plugins/wp-file-upload/#developers

Scores

CVSS v3 6.1
EPSS 0.0384
EPSS Percentile 88.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
iptanus/wordpress_file_upload < 4.3.4
Published Apr 07, 2018
Tracked Since Feb 18, 2026