CVE-2026-2942

CRITICAL

ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-2942. PoCs published by xxconi.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-2942, targeting the ProSolution WP Client plugin. The exploit demonstrates an unauthenticated file upload vulnerability via MIME spoofing, leading to remote code execution (RCE).

Description

The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'proSol_fileUploadProcess' function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (1)

github WORKING POC
by xxconi · pythonpoc
https://github.com/xxconi/CVE-2026-2942

This repository contains a functional exploit for CVE-2026-2942, targeting the ProSolution WP Client plugin. The exploit demonstrates an unauthenticated file upload vulnerability via MIME spoofing, leading to remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProSolution WP Client <= 1.9.9
No auth needed
Prerequisites: WordPress with ProSolution WP Client plugin active · Public page containing [prosolfrontend] shortcode
devstral-2 · analyzed May 26, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0058
EPSS Percentile 42.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
prosolution/ProSolution WP Client < 1.9.9
Published Apr 08, 2026
Tracked Since Apr 09, 2026