EIP-2026-113531

PRE-CVE

WordPress Plugin Add From Server < 3.3.2 - Cross-Site Request Forgery (Arbitrary File Upload)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113531. PoCs published by Edwin Molenaar.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Request Forgery (CSRF) vulnerability in the Add From Server WordPress Plugin, allowing an attacker to add arbitrary files from remote sources to the victim's server. The vulnerability arises due to the lack of anti-CSRF tokens and improper validation of file sources.

Description

WordPress Plugin Add From Server < 3.3.2 - Cross-Site Request Forgery (Arbitrary File Upload)

Exploits (1)

exploitdb WORKING POC VERIFIED

by Edwin Molenaar · textwebappsphp

https://www.exploit-db.com/exploits/40220

View Code ZIP pw:eip

This exploit demonstrates a Cross-Site Request Forgery (CSRF) vulnerability in the Add From Server WordPress Plugin, allowing an attacker to add arbitrary files from remote sources to the victim's server. The vulnerability arises due to the lack of anti-CSRF tokens and improper validation of file sources.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Add From Server WordPress Plugin version 6.2

Auth required

Prerequisites: Victim must be authenticated and lured into clicking a malicious link

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026