EIP-2026-114004

PRE-CVE

WordPress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114004. PoCs published by CrashBandicot.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in the WordPress Reflex Gallery plugin (v3.1.3). The vulnerability allows attackers to upload malicious files by manipulating the 'Year' and 'Month' GET parameters to control the upload path.

Description

WordPress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload

Exploits (1)

exploitdb WORKING POC VERIFIED

by CrashBandicot · textwebappsphp

https://www.exploit-db.com/exploits/36374

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file upload vulnerability in the WordPress Reflex Gallery plugin (v3.1.3). The vulnerability allows attackers to upload malicious files by manipulating the 'Year' and 'Month' GET parameters to control the upload path.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Reflex Gallery Plugin v3.1.3

No auth needed

Prerequisites: Access to the vulnerable WordPress plugin endpoint · Ability to send HTTP POST requests with file uploads

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026