{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-upload/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4882"}],"_cs_exploited":false,"_cs_products":["User Registration Advanced Fields plugin \u003c= 1.6.20"],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-upload","rce"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe User Registration Advanced Fields plugin for WordPress, specifically versions up to and including 1.6.20, contains an arbitrary file upload vulnerability (CVE-2026-4882) due to insufficient file type validation in the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function. This flaw enables unauthenticated attackers to upload any file type to the affected server, which can lead to remote code execution if the uploaded file is strategically placed and executed. The vulnerability is exploitable only if a \u0026ldquo;Profile Picture\u0026rdquo; field is active within the registration form. This poses a significant threat to websites using the plugin, as attackers can potentially gain full control of the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable User Registration Advanced Fields plugin (\u0026lt;= 1.6.20) with the \u0026ldquo;Profile Picture\u0026rdquo; field enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function, bypassing any client-side file type checks.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a web shell (e.g., a PHP file) disguised as a legitimate file type or without any extension to evade basic detection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin saves the file to the WordPress uploads directory without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the exact file path of the uploaded web shell on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request directly to the uploaded web shell.\u003c/li\u003e\n\u003cli\u003eThe web shell executes on the server, providing the attacker with remote code execution capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage the web shell to perform various malicious activities, such as installing malware, defacing the website, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-4882) allows unauthenticated attackers to upload arbitrary files to a vulnerable WordPress website, potentially leading to remote code execution. This can result in complete compromise of the affected website, including data theft, website defacement, and malware infections. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical severity level. The impact includes potential damage to reputation, financial losses, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the User Registration Advanced Fields plugin to the latest version (greater than 1.6.20) to patch CVE-2026-4882.\u003c/li\u003e\n\u003cli\u003eImplement file type validation on the server-side, restricting allowed file extensions for profile picture uploads.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file upload activity targeting the \u003ccode\u003eURAF_AJAX::method_upload\u003c/code\u003e function to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious WordPress File Uploads\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission policies to prevent uploaded files from being executed as scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:00Z","date_published":"2026-05-02T05:16:00Z","id":"/briefs/2026-05-wordpress-upload/","summary":"The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, allowing unauthenticated attackers to upload arbitrary files leading to potential remote code execution.","title":"WordPress User Registration Advanced Fields Plugin Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-34415"}],"_cs_exploited":false,"_cs_products":["Online Toolkits (\u003c= 3.15)"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-34415","rce","file-upload","web-application"],"_cs_type":"advisory","_cs_vendors":["Xerte"],"content_html":"\u003cp\u003eXerte Online Toolkits, a platform used for creating online learning materials, is vulnerable to unauthenticated remote code execution (RCE). Specifically, versions 3.15 and earlier contain an incomplete input validation vulnerability within the elFinder connector endpoint. This flaw allows an attacker to bypass existing file extension filters and upload PHP files with a \u0026lsquo;.php4\u0026rsquo; extension. Combined with authentication bypass and path traversal vulnerabilities, this can lead to arbitrary operating system command execution on the underlying server. This vulnerability, identified as CVE-2026-34415, poses a significant risk to organizations using affected versions of Xerte Online Toolkits, potentially allowing attackers to gain complete control of the web server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the elFinder connector endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits an authentication bypass vulnerability to gain unauthorized access to file upload functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a path traversal vulnerability to specify a writable directory for the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious PHP file disguised with a \u0026lsquo;.php4\u0026rsquo; extension, bypassing the incomplete input validation.\u003c/li\u003e\n\u003cli\u003eThe server saves the malicious PHP file to the specified directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request to directly access the uploaded PHP file via its URL.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code within the uploaded file, granting the attacker arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker can now execute operating system commands on the server, potentially leading to data theft, system compromise, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary operating system commands on the affected Xerte Online Toolkits server. Given the high CVSS score of 9.8, this vulnerability is considered critical. If exploited, an attacker could potentially gain full control of the server, leading to data breaches, defacement of the website, or the use of the compromised server as a launchpad for further attacks within the network. The number of potentially affected installations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Xerte Online Toolkits to a patched version greater than 3.15 to remediate CVE-2026-34415.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious PHP4 Uploads\u0026rdquo; to identify potential exploitation attempts by monitoring web server logs for \u0026lsquo;.php4\u0026rsquo; file uploads.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual requests to PHP files located in unexpected directories, which may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the elFinder connector endpoint that include suspicious parameters or file extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-xerte-rce/","summary":"Xerte Online Toolkits 3.15 and earlier contain an incomplete input validation vulnerability allowing unauthenticated attackers to upload malicious PHP code with a '.php4' extension, leading to arbitrary operating system command execution on the server.","title":"Xerte Online Toolkits Unauthenticated Remote Code Execution via File Upload","url":"https://feed.craftedsignal.io/briefs/2026-04-xerte-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-6885"}],"_cs_exploited":false,"_cs_products":["SPM 2007"],"_cs_severities":["critical"],"_cs_tags":["file-upload","web-shell","code-execution"],"_cs_type":"advisory","_cs_vendors":["BorG Technology Corporation"],"content_html":"\u003cp\u003eBorg SPM 2007, a product by BorG Technology Corporation with sales ending in 2008, is vulnerable to arbitrary file uploads (CVE-2026-6885). This vulnerability allows unauthenticated remote attackers to upload malicious files, such as web shells, which can then be executed by the server. The attacker can then achieve arbitrary code execution, leading to a compromise of the system. Given the age of the software, it is likely running on outdated systems with fewer security controls making successful exploitation highly probable. This poses a significant risk to organizations still using this software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Borg SPM 2007 server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to the server, exploiting the file upload vulnerability (CVE-2026-6885).\u003c/li\u003e\n\u003cli\u003eThe POST request contains a malicious file, such as a PHP web shell, disguised with a permissible extension or without any extension check.\u003c/li\u003e\n\u003cli\u003eThe Borg SPM 2007 server saves the uploaded file to a publicly accessible directory, without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request to access the uploaded web shell.\u003c/li\u003e\n\u003cli\u003eThe web server executes the web shell code, granting the attacker arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to gain a persistent foothold, install malware, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the vulnerable server. This can lead to full system compromise, data theft, and potential disruption of services. While the number of active installations is likely low due to the product\u0026rsquo;s end-of-life status in 2008, organizations still running Borg SPM 2007 are at high risk if the system is exposed to the Internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify instances of Borg SPM 2007 running in your environment and isolate them from the network if possible.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect potential web shell uploads based on HTTP request characteristics.\u003c/li\u003e\n\u003cli\u003eSince no patch exists, consider immediate decommissioning or migration to a supported alternative.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:16:18Z","date_published":"2026-04-23T10:16:18Z","id":"/briefs/2026-04-borg-spm-file-upload/","summary":"An unauthenticated remote attacker can exploit an arbitrary file upload vulnerability (CVE-2026-6885) in Borg SPM 2007 to upload and execute web shell backdoors, leading to arbitrary code execution on the server.","title":"Borg SPM 2007 Arbitrary File Upload Vulnerability (CVE-2026-6885)","url":"https://feed.craftedsignal.io/briefs/2026-04-borg-spm-file-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2025-61687"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["flowiseai","file-upload","rce","web-shell"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFlowiseAI, a low-code platform for building AI applications, contains a file upload validation bypass vulnerability. By modifying the Chatflow configuration, specifically the \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e setting, an attacker can add \u003ccode\u003eapplication/javascript\u003c/code\u003e as an accepted MIME type. This bypasses previous mitigations (CVE-2025-61687) intended to prevent the upload of potentially malicious files. Although the frontend UI restricts JavaScript uploads, a direct API request can circumvent this. Successful exploitation allows attackers to persistently store Node.js web shells (e.g., shell.js) on the Flowise server. This vulnerability affects FlowiseAI versions up to 3.0.13. If executed, these web shells could grant the attacker Remote Code Execution (RCE) capabilities on the server, posing a significant risk to system integrity and data confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable FlowiseAI instance running a version \u0026lt;= 3.0.13.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the FlowiseAI instance as an administrator or with compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP PUT request to the \u003ccode\u003e/api/v1/chatflows/{CHATFLOW_ID}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe PUT request modifies the Chatflow configuration, specifically the \u003ccode\u003echatbotConfig\u003c/code\u003e to include \u003ccode\u003eapplication/javascript\u003c/code\u003e in the \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}\u003c/code\u003e endpoint to upload a \u003ccode\u003e.js\u003c/code\u003e file (Node.js web shell), such as the \u003ccode\u003eshell.js\u003c/code\u003e example.\u003c/li\u003e\n\u003cli\u003eThe server saves the malicious \u003ccode\u003e.js\u003c/code\u003e file to a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded \u003ccode\u003e.js\u003c/code\u003e file via a direct HTTP request.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands specified in the URL parameters, such as \u003ccode\u003ehttp://localhost:8888/?cmd=id\u003c/code\u003e, resulting in RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to upload and persistently store malicious web shells on the FlowiseAI server. Execution of these web shells grants the attacker the ability to execute arbitrary commands on the underlying system. This can lead to complete system compromise, data exfiltration, and denial of service. This vulnerability affects FlowiseAI versions up to 3.0.13.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to prevent modification of \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e settings.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for PUT requests to \u003ccode\u003e/api/v1/chatflows/{CHATFLOW_ID}\u003c/code\u003e modifying \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor for POST requests to \u003ccode\u003e/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}\u003c/code\u003e uploading \u003ccode\u003e.js\u003c/code\u003e files based on the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect suspicious HTTP requests indicative of this attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T14:00:00Z","date_published":"2026-04-17T14:00:00Z","id":"/briefs/2026-04-17-flowise-upload-bypass/","summary":"A file upload validation bypass vulnerability exists in FlowiseAI, where the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type, enabling an attacker to upload .js files, store malicious Node.js web shells on the server, and potentially achieve Remote Code Execution (RCE).","title":"FlowiseAI File Upload Validation Bypass Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-17-flowise-upload-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["authorization bypass","acl","file upload","file deletion","CVE-2026-40189"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Goshs web server is susceptible to a critical authorization bypass (CVE-2026-40189) affecting versions up to and including 1.1.4 and v2.0.0-beta.3. The vulnerability stems from inconsistent enforcement of file-based ACLs defined by \u003ccode\u003e.goshs\u003c/code\u003e files. While the application correctly enforces authorization for reading and listing files, state-changing routes such as PUT, POST /upload, ?mkdir, and ?delete do not perform the same authorization checks. This allows unauthenticated attackers to upload, create, and delete files within directories that should be protected by authentication. The most severe impact arises from the ability to delete the \u003ccode\u003e.goshs\u003c/code\u003e file itself, thereby removing the authentication requirement and exposing previously protected content. This vulnerability undermines the intended security mechanisms of Goshs, posing a significant risk to data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Goshs instance utilizing \u003ccode\u003e.goshs\u003c/code\u003e files for access control.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated PUT request to upload a file to a protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/updown.go:18-60\u003c/code\u003e. Example: \u003ccode\u003ePUT /protected/put-created.txt\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker sends an unauthenticated multipart POST request to \u003ccode\u003e/upload\u003c/code\u003e endpoint to upload a file to a protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/updown.go:63-165\u003c/code\u003e. Example: \u003ccode\u003ePOST /protected/upload\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request with the \u003ccode\u003e?mkdir\u003c/code\u003e parameter to create a directory within the protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/handler.go:901-937\u003c/code\u003e. Example: \u003ccode\u003e/?mkdir=new_directory\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request with the \u003ccode\u003e?delete\u003c/code\u003e parameter targeting the \u003ccode\u003e.goshs\u003c/code\u003e file within the protected directory, leveraging the vulnerable route in \u003ccode\u003ehttpserver/handler.go:679-698\u003c/code\u003e. Example: \u003ccode\u003e/.goshs?delete\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe server deletes the \u003ccode\u003e.goshs\u003c/code\u003e file using \u003ccode\u003eos.RemoveAll()\u003c/code\u003e, effectively removing the access control restrictions for the directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request to access previously protected files, which are now accessible due to the absence of the \u003ccode\u003e.goshs\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information and can perform further malicious actions, such as deleting or modifying critical files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to bypass intended access controls in Goshs deployments. This can lead to unauthorized access to sensitive files, potentially exposing confidential information. Attackers can also create, modify, or delete files within protected directories, causing data corruption or service disruption. The ability to delete the \u003ccode\u003e.goshs\u003c/code\u003e file directly amplifies the impact, as it permanently removes the authentication barrier, affecting all previously protected content. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of Goshs-hosted data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch or upgrade to a version of Goshs that addresses CVE-2026-40189.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Goshs Unauthenticated .goshs Deletion\u0026rdquo; to your SIEM to detect attempts to remove \u003ccode\u003e.goshs\u003c/code\u003e ACL files via the \u003ccode\u003e?delete\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Goshs Unauthenticated PUT Request to Protected Directories\u0026rdquo; to detect unauthorized file uploads to protected directories.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for PUT, POST, and DELETE requests targeting directories containing \u003ccode\u003e.goshs\u003c/code\u003e files to identify potential exploitation attempts. (Log Source: webserver)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T20:02:46Z","date_published":"2026-04-10T20:02:46Z","id":"/briefs/2026-04-goshs-acl-bypass/","summary":"Goshs is vulnerable to an authorization bypass (CVE-2026-40189) due to inconsistent enforcement of .goshs ACLs on state-changing routes, allowing an unauthenticated attacker to manipulate files within protected directories and bypass authentication barriers.","title":"Goshs File-Based ACL Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-goshs-acl-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-4808"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","file-upload","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Gerador de Certificados – DevApps plugin for WordPress, versions up to and including 1.3.6, contains an arbitrary file upload vulnerability (CVE-2026-4808). This flaw stems from a lack of file type validation within the \u003ccode\u003emoveUploadedFile()\u003c/code\u003e function. Authenticated users with administrator privileges or higher can exploit this vulnerability by uploading arbitrary files to the affected server. Successful exploitation could allow an attacker to execute arbitrary code on the server, leading to a complete system compromise. This vulnerability poses a significant threat to websites using the affected plugin, potentially impacting data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with administrator-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Gerador de Certificados – DevApps plugin\u0026rsquo;s upload functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file (e.g., a PHP file) with a disguised extension or no extension.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious file through the plugin\u0026rsquo;s interface, bypassing the missing file type validation in the \u003ccode\u003emoveUploadedFile()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe plugin saves the file to a publicly accessible directory on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded file\u0026rsquo;s location.\u003c/li\u003e\n\u003cli\u003eThe server executes the malicious code within the uploaded file, granting the attacker remote code execution capabilities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers with administrator privileges to upload arbitrary files to the web server. This can lead to remote code execution, potentially allowing the attacker to gain full control of the WordPress website and the underlying server. This could lead to data theft, website defacement, or use of the server for malicious purposes such as hosting phishing sites or launching attacks against other systems. The number of affected sites is potentially very large.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gerador de Certificados – DevApps plugin to the latest version, which includes a fix for CVE-2026-4808.\u003c/li\u003e\n\u003cli\u003eImplement web server configurations to prevent the execution of scripts in upload directories.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious file uploads and access attempts to unusual file types.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to access PHP files within the wp-content/uploads directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T07:16:22Z","date_published":"2026-04-08T07:16:22Z","id":"/briefs/2026-04-wordpress-upload/","summary":"The Gerador de Certificados – DevApps WordPress plugin is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.","title":"WordPress Plugin Vulnerability: Arbitrary File Upload in Gerador de Certificados – DevApps","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-0740"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-upload","rce","CVE-2026-0740"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Ninja Forms - File Uploads plugin for WordPress, specifically versions up to and including 3.3.26, contains an arbitrary file upload vulnerability (CVE-2026-0740). This flaw stems from a lack of proper file type validation within the \u003ccode\u003eNF_FU_AJAX_Controllers_Uploads::handle_upload\u003c/code\u003e function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress server. Successful exploitation could enable remote code execution, allowing the attacker to compromise the web server and potentially the underlying network. The vulnerability was partially addressed in version 3.3.25 and fully resolved in version 3.3.27. This vulnerability poses a significant risk to organizations using the vulnerable plugin, potentially leading to data breaches, website defacement, or complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP POST request to the WordPress server targeting the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a malicious file disguised as a legitimate file type, exploiting the missing file type validation in the \u003ccode\u003eNF_FU_AJAX_Controllers_Uploads::handle_upload\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandle_upload\u003c/code\u003e function processes the request without properly validating the file type, allowing the malicious file to be uploaded to the server.\u003c/li\u003e\n\u003cli\u003eThe uploaded file is stored in the WordPress uploads directory, typically located within the \u003ccode\u003ewp-content/uploads/ninja-forms-uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the malicious file (e.g., a PHP script) to execute arbitrary code on the server when accessed.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded malicious file via a direct HTTP request to the file\u0026rsquo;s location within the uploads directory.\u003c/li\u003e\n\u003cli\u003eThe web server executes the malicious file (e.g., a PHP script), granting the attacker the ability to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed code to gain a persistent foothold on the server, install malware, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0740 allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. This can result in complete compromise of the WordPress website, including data breaches, website defacement, and installation of backdoors. The impact is significant due to the widespread use of WordPress and the Ninja Forms plugin. Even a single successful attack can lead to substantial financial losses, reputational damage, and legal liabilities. Websites utilizing versions of the Ninja Forms File Uploads plugin prior to 3.3.27 are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Ninja Forms File Uploads plugin to version 3.3.27 or later to fully patch CVE-2026-0740.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to detect and block malicious file upload attempts targeting the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for suspicious requests to the \u003ccode\u003ewp-content/uploads/ninja-forms-uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Ninja Forms Arbitrary File Upload Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eEnforce strict file type validation on all file upload forms, even after upgrading the plugin, as a defense-in-depth measure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T05:16:06Z","date_published":"2026-04-07T05:16:06Z","id":"/briefs/2026-04-ninja-forms-rce/","summary":"The Ninja Forms File Uploads plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.","title":"Ninja Forms File Upload Plugin Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-ninja-forms-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35164"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-35164","rce","file-upload","brave-cms","ckeditor","php","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBrave CMS, an open-source content management system, is vulnerable to an unrestricted file upload vulnerability (CVE-2026-35164) in versions prior to 2.0.6. The vulnerability resides within the CKEditor upload functionality, specifically in the \u003ccode\u003eckupload\u003c/code\u003e method located in \u003ccode\u003eapp/Http/Controllers/Dashboard/CkEditorController.php\u003c/code\u003e. The application fails to properly validate the types of uploaded files, relying solely on user-provided input. This lack of validation enables an authenticated user to upload malicious PHP scripts, leading to arbitrary code execution on the server. The vulnerability was reported on April 6, 2026, and is fixed in Brave CMS version 2.0.6. Organizations using affected versions of Brave CMS are at risk of complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Brave CMS application as a user with upload privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a page or functionality within the CMS that utilizes the CKEditor for content creation or editing.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the CKEditor\u0026rsquo;s upload functionality to upload a malicious PHP script disguised as a legitimate file type (e.g., image).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eckupload\u003c/code\u003e method in \u003ccode\u003eapp/Http/Controllers/Dashboard/CkEditorController.php\u003c/code\u003e processes the uploaded file without proper validation of the file type or content.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP script is stored on the server in a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to directly access the uploaded PHP script via its URL.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP script, granting the attacker the ability to run arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence, installs a web shell, and performs lateral movement within the network, escalating privileges as needed to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the affected Brave CMS server. This can lead to complete compromise of the CMS instance, including unauthorized access to sensitive data, modification of website content, and potential lateral movement to other systems on the network. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity level. Organizations running vulnerable versions of Brave CMS are at risk of data breaches, website defacement, and further exploitation of their infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Brave CMS to version 2.0.6 or later to remediate the unrestricted file upload vulnerability (CVE-2026-35164).\u003c/li\u003e\n\u003cli\u003eImplement server-side file validation to prevent the upload of malicious files, regardless of file extension.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to file uploads and execution of PHP scripts.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to access potentially malicious PHP files in the web server\u0026rsquo;s upload directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T18:16:42Z","date_published":"2026-04-06T18:16:42Z","id":"/briefs/2026-04-brave-cms-rce/","summary":"Brave CMS versions prior to 2.0.6 contain an unrestricted file upload vulnerability within the CKEditor upload functionality in the ckupload method, allowing authenticated users to upload executable PHP scripts and achieve Remote Code Execution.","title":"Brave CMS Unrestricted File Upload Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-brave-cms-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2019-25685"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["phpBB","file-upload","deserialization","CVE-2019-25685"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2019-25685 is an arbitrary file upload vulnerability affecting phpBB. An authenticated attacker can exploit this vulnerability to upload malicious files by leveraging the plupload functionality and the phar:// stream wrapper. This allows them to upload a crafted ZIP archive that includes serialized PHP objects, leading to arbitrary code execution when these objects are deserialized via the imagick parameter within the attachment settings. Successful exploitation can result in complete server compromise, allowing the attacker to execute arbitrary commands, potentially leading to data theft, website defacement, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the phpBB application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing serialized PHP objects designed for remote code execution. This archive is designed to be processed by the \u003ccode\u003ephar://\u003c/code\u003e stream wrapper.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted ZIP archive through the plupload functionality, potentially disguised as a legitimate attachment type.\u003c/li\u003e\n\u003cli\u003eThe phpBB application processes the uploaded file. The application uses the phar:// stream wrapper to extract the contents of the uploaded ZIP file.\u003c/li\u003e\n\u003cli\u003eThe application deserializes the malicious PHP objects, triggered by the imagick parameter in attachment settings.\u003c/li\u003e\n\u003cli\u003eDeserialization of the crafted PHP objects leads to arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the web server, potentially escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2019-25685 allows an attacker to execute arbitrary code on the phpBB server. The attacker could gain complete control of the web server, potentially leading to data theft, website defacement, or denial of service. The impact is significant due to the potential for full system compromise. The number of victims is dependent on the number of phpBB installations exposed and targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for POST requests to attachment upload endpoints containing ZIP archives and the \u0026ldquo;phar://\u0026rdquo; wrapper in request parameters to detect potential exploit attempts. (Log Source: webserver, Rule: phpbb_phar_upload)\u003c/li\u003e\n\u003cli\u003eMonitor phpBB file upload directories for the creation of unexpected files, particularly PHP scripts or other executable files. (Log Source: file_event, Rule: phpbb_suspicious_file_creation)\u003c/li\u003e\n\u003cli\u003eApply available patches or updates for phpBB to address CVE-2019-25685 as soon as possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:47Z","date_published":"2026-04-05T21:16:47Z","id":"/briefs/2026-04-phpbb-file-upload/","summary":"phpBB is vulnerable to arbitrary file upload (CVE-2019-25685) by exploiting the plupload functionality and phar:// stream wrapper, allowing authenticated attackers to upload crafted zip files containing serialized PHP objects that execute arbitrary code via the imagick parameter.","title":"phpBB Arbitrary File Upload Vulnerability (CVE-2019-25685)","url":"https://feed.craftedsignal.io/briefs/2026-04-phpbb-file-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5573"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-5573","file-upload","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-5573, has been identified in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30. This flaw allows unauthenticated, remote attackers to upload arbitrary files to the device due to improper handling of the \u0026lsquo;cwd\u0026rsquo; argument when accessing the \u003ccode\u003e/fs\u003c/code\u003e file. Publicly available exploits exist, increasing the risk of widespread exploitation. The vendor was notified but did not respond. This vulnerability poses a significant threat due to the potential for complete system compromise, including remote code execution and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Technostrobe HI-LED-WR120-G2 device running the vulnerable firmware version 5.5.0.1R6.03.30.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/fs\u003c/code\u003e endpoint, manipulating the \u003ccode\u003ecwd\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe manipulated \u003ccode\u003ecwd\u003c/code\u003e argument bypasses access controls, allowing the attacker to specify an arbitrary upload directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious file, such as a web shell or executable, to the specified directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded file via a web browser or other means.\u003c/li\u003e\n\u003cli\u003eIf the uploaded file is executable (e.g., a web shell), the attacker executes arbitrary commands on the device with the privileges of the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to escalate privileges, install persistent backdoors, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5573 allows attackers to gain complete control over affected Technostrobe HI-LED-WR120-G2 devices. This can lead to data breaches, system disruption, or the device being used as a foothold for further attacks within the network. The lack of vendor response and the availability of public exploits make this vulnerability particularly dangerous.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/fs\u003c/code\u003e endpoint with unusual \u003ccode\u003ecwd\u003c/code\u003e parameter values. Use the provided Sigma rule to detect such activity.\u003c/li\u003e\n\u003cli\u003eInspect uploaded files for malicious content. Deploy the file upload detection Sigma rule to identify potential web shells.\u003c/li\u003e\n\u003cli\u003eBlock connections to the identified malicious URLs to prevent exploit attempts (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T15:16:41Z","date_published":"2026-04-05T15:16:41Z","id":"/briefs/2026-04-technostrobe-upload/","summary":"CVE-2026-5573 allows remote attackers to perform unrestricted file uploads on Technostrobe HI-LED-WR120-G2 devices by manipulating the 'cwd' argument when interacting with the /fs file.","title":"Technostrobe HI-LED-WR120-G2 Unrestricted File Upload Vulnerability (CVE-2026-5573)","url":"https://feed.craftedsignal.io/briefs/2026-04-technostrobe-upload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","file-upload","sharefile"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-2701 is a critical vulnerability affecting ShareFile Storage Zones Controller, allowing authenticated users to upload and execute malicious files on the server, resulting in remote code execution. The vulnerability stems from inadequate input validation and insufficient restrictions on file types during upload. Successful exploitation enables attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. While the specific versions affected are not explicitly stated in the source, the vulnerability was reported in conjunction with a security vulnerability advisory published in February 2026. Defenders should prioritize patching and implementing mitigations to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the ShareFile Storage Zones Controller.\u003c/li\u003e\n\u003cli\u003eThe user navigates to the file upload functionality within the application.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a specially crafted malicious file (e.g., a web shell or executable).\u003c/li\u003e\n\u003cli\u003eThe application fails to properly validate the file type or content, allowing the malicious file to be stored on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to execute the uploaded malicious file. This may involve leveraging OS command injection (CWE-78) or code injection (CWE-94) vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe server executes the malicious file, granting the attacker arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gained access to move laterally, install backdoors, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the compromised server and potentially the entire ShareFile environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2701 allows attackers to execute arbitrary code on the affected ShareFile Storage Zones Controller server. This can lead to a complete compromise of the server, data exfiltration, and potential lateral movement within the network. While the exact number of victims is unknown, any organization using vulnerable versions of ShareFile Storage Zones Controller is at risk. Given the nature of ShareFile, this could expose sensitive data belonging to customers and partners.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch referenced in the Progress Software Corporation advisory (\u003ca href=\"https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26\"\u003ehttps://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26\u003c/a\u003e) to remediate CVE-2026-2701.\u003c/li\u003e\n\u003cli\u003eImplement strict file type validation and sanitization on all file upload functionalities within the ShareFile Storage Zones Controller.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file upload activity or attempts to execute unusual file types using the provided Sigma rule targeting webserver logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T14:16:27Z","date_published":"2026-04-02T14:16:27Z","id":"/briefs/2026-04-sharefile-rce/","summary":"Authenticated users can upload malicious files to a ShareFile Storage Zones Controller server and execute them, leading to remote code execution, due to improper neutralization of special elements, code generation, and unrestricted file upload.","title":"ShareFile Storage Zones Controller Unauthenticated Remote Code Execution via File Upload (CVE-2026-2701)","url":"https://feed.craftedsignal.io/briefs/2026-04-sharefile-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","file-upload","cve-2026-5027","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5027 exposes a critical vulnerability in the \u0026lsquo;POST /api/v2/files\u0026rsquo; endpoint, where the \u0026lsquo;filename\u0026rsquo; parameter within multipart form data is not properly sanitized. This flaw allows an attacker to manipulate the filename by injecting path traversal sequences such as \u0026lsquo;../\u0026rsquo;, leading to the ability to write files to arbitrary locations on the server\u0026rsquo;s filesystem. This vulnerability was reported by Tenable Network Security, Inc. and has a CVSS v3.1 base score of 8.8 (HIGH). Successful…\u003c/p\u003e\n","date_modified":"2026-03-27T15:17:04Z","date_published":"2026-03-27T15:17:04Z","id":"/briefs/2026-03-path-traversal-api/","summary":"The 'POST /api/v2/files' endpoint is vulnerable to path traversal due to improper sanitization of the 'filename' parameter, potentially allowing attackers to write files to arbitrary locations on the filesystem and achieve remote code execution.","title":"Path Traversal Vulnerability in API File Upload Endpoint (CVE-2026-5027)","url":"https://feed.craftedsignal.io/briefs/2026-03-path-traversal-api/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["laravel","file-upload","rce","code16/sharp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003ecode16/sharp\u003c/code\u003e Laravel admin panel package, specifically versions before 9.20.0, is vulnerable to unrestricted file upload. An authenticated user can manipulate the \u003ccode\u003evalidation_rule\u003c/code\u003e parameter in the \u003ccode\u003e/api/form/upload\u003c/code\u003e endpoint to bypass file type restrictions. This vulnerability stems from insufficient server-side validation of the client-supplied \u003ccode\u003evalidation_rule\u003c/code\u003e, which is directly passed to the Laravel validator. Successfully exploiting this vulnerability allows an attacker to upload arbitrary files, including PHP webshells, which can lead to remote code execution (RCE) if the storage disk is publicly accessible. The vulnerability was reported by zaurgsynv and has been patched in pull request #714. Defenders should ensure their Sharp instances are updated to version 9.20.0 or later, and restrict disk access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the Sharp Laravel admin panel.\u003c/li\u003e\n\u003cli\u003eThe user navigates to a section of the application that utilizes the file upload functionality.\u003c/li\u003e\n\u003cli\u003eThe user intercepts the HTTP request sent to the \u003ccode\u003e/api/form/upload\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe user modifies the request body, specifically the \u003ccode\u003evalidation_rule\u003c/code\u003e parameter, setting it to \u003ccode\u003evalidation_rule[]=file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe modified request is sent to the server, bypassing MIME type and file extension checks.\u003c/li\u003e\n\u003cli\u003eThe server processes the upload request, saving the arbitrary file (e.g., a PHP webshell) to the designated storage disk.\u003c/li\u003e\n\u003cli\u003eIf the storage disk is publicly accessible, the attacker can access the uploaded file via a web browser.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded PHP webshell, achieving remote code execution (RCE) on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to upload arbitrary files, including PHP webshells, to the affected server. This can lead to Remote Code Execution (RCE) if the server\u0026rsquo;s storage disk is misconfigured to be publicly accessible. While default configurations prevent direct execution of uploaded PHP files, compromised servers can be leveraged for lateral movement, data exfiltration, or further malicious activities. This vulnerability impacts all installations of \u003ccode\u003ecode16/sharp\u003c/code\u003e prior to version 9.20.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecode16/sharp\u003c/code\u003e to version 9.20.0 or later to remediate CVE-2026-33687.\u003c/li\u003e\n\u003cli\u003eEnsure that the storage disk used for Sharp uploads is strictly private, as described in the Laravel filesystem documentation (\u003ca href=\"https://laravel.com/docs/13.x/filesystem)\"\u003ehttps://laravel.com/docs/13.x/filesystem)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Sharp File Upload Bypass Attempt\u0026rdquo; to identify attempts to exploit this vulnerability based on the \u003ccode\u003evalidation_rule\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads to the \u003ccode\u003e/api/form/upload\u003c/code\u003e endpoint, correlating with user activity and file extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T20:03:11Z","date_published":"2026-03-25T20:03:11Z","id":"/briefs/2026-06-sharp-file-upload-bypass/","summary":"The code16/sharp Laravel admin panel package contains a vulnerability in its file upload endpoint that allows authenticated users to bypass all file type restrictions by manipulating the validation_rule parameter, potentially leading to Remote Code Execution (RCE) if the storage disk is configured to be publicly accessible.","title":"Sharp Laravel Admin Panel Unrestricted File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-sharp-file-upload-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["phreebooks","file-upload","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePhreeBooks ERP version 5.2.3 contains a critical arbitrary file upload vulnerability within its Image Manager component. This vulnerability allows authenticated attackers to bypass security restrictions and upload malicious files to the server. By crafting specific requests to the image upload endpoint, threat actors can inject PHP files. The successful exploitation of this vulnerability allows for arbitrary code execution on the underlying system, potentially leading to full system compromise. This issue was reported and assigned CVE-2019-25630. Successful exploitation requires authentication, limiting the scope of easily exploitable targets. However, the impact of successful exploitation is severe, allowing for complete control of the affected PhreeBooks ERP instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the PhreeBooks ERP 5.2.3 application.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Image Manager component.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003ebizuno/image/manager\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eimgFile\u003c/code\u003e parameter containing a PHP file disguised as an image (e.g., using a double extension like \u003ccode\u003eevil.php.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server saves the uploaded file to a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker then accesses the uploaded PHP file via a direct HTTP request to \u003ccode\u003e/bizunoFS.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebizunoFS.php\u003c/code\u003e script executes the malicious PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the server, enabling further malicious activities like data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the PhreeBooks ERP server. This can lead to complete compromise of the server, including data exfiltration, modification of financial records, and denial of service. While the number of affected installations is unknown, the potential impact on compromised systems is significant due to the sensitive data typically managed by ERP systems. Organizations using PhreeBooks ERP 5.2.3 are vulnerable to complete data loss, financial fraud, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a secure version of PhreeBooks ERP to remediate CVE-2019-25630.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003ePhreebooks Image Upload\u003c/code\u003e to detect suspicious requests to the \u003ccode\u003ebizuno/image/manager\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to PHP files within the image upload directories, as this can be a sign of successful exploitation via \u003ccode\u003ebizunoFS.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the server side to prevent uploading files with dangerous extensions like \u003ccode\u003e.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:16:03Z","date_published":"2026-03-24T12:16:03Z","id":"/briefs/2026-03-phreebooks-file-upload/","summary":"PhreeBooks ERP 5.2.3 is vulnerable to arbitrary file upload in the Image Manager component, allowing authenticated attackers to upload malicious PHP files leading to remote code execution.","title":"PhreeBooks ERP 5.2.3 Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-phreebooks-file-upload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["file-upload","remote-code-execution","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCensus CSWeb 8.0.1 is vulnerable to an arbitrary file upload vulnerability (CVE-2025-60947). An authenticated attacker can leverage this vulnerability to upload malicious files to the server. Successful exploitation could allow the attacker to achieve remote code execution on the targeted system. The vulnerability was patched in version 8.1.0 alpha. This poses a significant risk to organizations using the affected CSWeb version, potentially leading to data breaches, system compromise, and…\u003c/p\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-census-csweb-file-upload/","summary":"A remote, authenticated attacker can exploit an arbitrary file upload vulnerability in Census CSWeb 8.0.1 (CVE-2025-60947) to upload malicious files, potentially leading to remote code execution.","title":"Census CSWeb 8.0.1 Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-census-csweb-file-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3844"}],"_cs_exploited":false,"_cs_products":["Breeze Cache plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-upload","rce"],"_cs_type":"advisory","_cs_vendors":["Cloudways"],"content_html":"\u003cp\u003eThe Breeze Cache plugin for WordPress, in versions up to and including 2.4.4, contains an arbitrary file upload vulnerability (CVE-2026-3844). This flaw stems from the lack of file type validation within the \u0026lsquo;fetch_gravatar_from_remote\u0026rsquo; function. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to the affected WordPress site\u0026rsquo;s server. Successful exploitation could lead to remote code execution on the server. It is important to note that the vulnerability can only be exploited if the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; setting is enabled within the Breeze Cache plugin. This setting is disabled by default, reducing the attack surface. Defenders should prioritize identifying potentially compromised systems running vulnerable versions of Breeze Cache with the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; option enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running a vulnerable version (\u0026lt;= 2.4.4) of the Breeze Cache plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; option is enabled on the target WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;fetch_gravatar_from_remote\u0026rsquo; function. This request contains a payload designed to upload an arbitrary file to the server.\u003c/li\u003e\n\u003cli\u003eDue to the missing file type validation, the server accepts the malicious file upload without proper sanitization. The uploaded file can be a PHP file, a web shell, or another executable type.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the location where the file has been saved by the plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded file\u0026rsquo;s location, triggering its execution on the server.\u003c/li\u003e\n\u003cli\u003eThe malicious file executes, granting the attacker remote code execution capabilities on the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as installing malware, stealing sensitive data, or further compromising the server and network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to upload arbitrary files to a vulnerable WordPress server. This can lead to complete compromise of the server, allowing for remote code execution. The attacker can then pivot to other systems, steal sensitive information, or cause significant disruption. While the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; option is disabled by default, any instance where this option is enabled is at critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Breeze Cache plugin to the latest version to patch CVE-2026-3844.\u003c/li\u003e\n\u003cli\u003eDisable the \u0026ldquo;Host Files Locally - Gravatars\u0026rdquo; setting in the Breeze Cache plugin if it is enabled.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads and requests to unusual file extensions using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement strict file upload policies and validation mechanisms on all web applications to prevent arbitrary file uploads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-02-29T10:00:00Z","date_published":"2024-02-29T10:00:00Z","id":"/briefs/2026-04-breeze-cache-rce/","summary":"The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.","title":"Breeze Cache Plugin Arbitrary File Upload Vulnerability (CVE-2026-3844)","url":"https://feed.craftedsignal.io/briefs/2026-04-breeze-cache-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7711"}],"_cs_exploited":false,"_cs_products":["MindsDB (\u003c= 26.01)"],"_cs_severities":["critical"],"_cs_tags":["cve","vulnerability","file-upload"],"_cs_type":"advisory","_cs_vendors":["MindsDB"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-7711, exists in MindsDB, an open-source machine learning platform, up to version 26.01. This flaw resides within the \u003ccode\u003eexec\u003c/code\u003e function of the \u003ccode\u003emindsdb/integrations/handlers/byom_handler/proc_wrapper.py\u003c/code\u003e file, a component of the Engine Handler. The vulnerability allows a remote attacker to perform unrestricted file uploads due to a lack of input validation. Public exploits are available, making exploitation more likely. Successful exploitation could lead to arbitrary code execution on the MindsDB server, potentially compromising the entire system and any data it manages. The vendor was notified but has not responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a MindsDB instance running a vulnerable version (\u0026lt;= 26.01).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003eexec\u003c/code\u003e function within \u003ccode\u003emindsdb/integrations/handlers/byom_handler/proc_wrapper.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis request includes a payload designed to bypass any existing file type or size restrictions.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eexec\u003c/code\u003e function processes the request without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads an arbitrary file, such as a web shell or a malicious executable, to a writeable directory on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded file, gaining code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to escalate privileges, move laterally within the network, and potentially exfiltrate sensitive data or install malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7711 can have severe consequences. An attacker could gain complete control over the MindsDB server, potentially leading to data breaches, service disruption, or further malicious activities within the affected network. Given the nature of MindsDB as a machine learning platform, the data stored or processed by it is highly sensitive, increasing the potential damage. Without remediation, any instance running an affected version is susceptible to remote compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade MindsDB to a version greater than 26.01 to remediate CVE-2026-7711.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect MindsDB Unrestricted Upload Attempt\u0026rdquo; to identify exploitation attempts targeting the vulnerable \u003ccode\u003eexec\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing file uploads to paths associated with the \u003ccode\u003ebyom_handler\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict file upload restrictions and validation on the MindsDB server, even after patching, as a defense-in-depth measure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-mindsdb-upload/","summary":"CVE-2026-7711 allows for remote, unrestricted file uploads in MindsDB up to version 26.01 due to insufficient validation in the `exec` function of `proc_wrapper.py`, potentially leading to code execution or data exfiltration.","title":"MindsDB Unrestricted File Upload Vulnerability (CVE-2026-7711)","url":"https://feed.craftedsignal.io/briefs/2024-01-26-mindsdb-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5364"}],"_cs_exploited":false,"_cs_products":["Drag and Drop File Upload for Contact Form 7 plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","file-upload","rce","plugin","CVE-2026-5364"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Drag and Drop File Upload for Contact Form 7 plugin for WordPress, in versions up to and including 1.1.3, contains an arbitrary file upload vulnerability tracked as CVE-2026-5364. The flaw stems from insufficient sanitization of file extensions during the upload process. Specifically, the plugin extracts the file extension before sanitization and allows the file type parameter to be controlled by the attacker. Furthermore, validation occurs on the unsanitized extension, while the file is saved with a sanitized extension, stripping special characters like \u0026lsquo;$\u0026rsquo; during the save. While an .htaccess file and name randomization are present, these restrictions may be bypassable in certain configurations or by exploiting other vulnerabilities. This vulnerability could allow unauthenticated attackers to upload arbitrary PHP files to the web server, potentially leading to remote code execution (RCE).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using a vulnerable version (\u0026lt;= 1.1.3) of the \u0026ldquo;Drag and Drop File Upload for Contact Form 7\u0026rdquo; plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the plugin\u0026rsquo;s upload endpoint, typically \u003ccode\u003e/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a file with a manipulated extension, such as \u003ccode\u003eevil.php$.jpg\u003c/code\u003e, where \u003ccode\u003eevil.php\u003c/code\u003e is the malicious PHP payload and \u003ccode\u003e$.jpg\u003c/code\u003e is designed to be sanitized to \u003ccode\u003e.jpg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003efile type\u003c/code\u003e parameter in the request to reflect the original manipulated file extension (\u003ccode\u003eevil.php$.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe plugin validates the extension against administrator-configured types but, due to the unsanitized extension and attacker control over the file type parameter, the malicious file passes validation.\u003c/li\u003e\n\u003cli\u003eThe plugin sanitizes the extension, removing the \u003ccode\u003e$\u003c/code\u003e character, resulting in a file saved with the extension \u003ccode\u003e.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the uploaded PHP file via a direct HTTP request to \u003ccode\u003e/wp-content/uploads/\u0026lt;random_name\u0026gt;.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003e.htaccess\u003c/code\u003e restrictions are bypassed (e.g., due to misconfiguration or another vulnerability), the web server executes the malicious PHP code, granting the attacker remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5364 allows unauthenticated attackers to upload and execute arbitrary PHP code on the target WordPress server. This can lead to complete compromise of the website, including defacement, data theft, and installation of backdoors. While the presence of \u003ccode\u003e.htaccess\u003c/code\u003e and name randomization mitigates the risk, these protections may be bypassed, especially when combined with other vulnerabilities or misconfigurations. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant risk to a large number of websites. The CVSS v3.1 base score is 8.1, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u0026ldquo;Drag and Drop File Upload for Contact Form 7\u0026rdquo; plugin to the latest version (greater than 1.1.3) to patch CVE-2026-5364.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to inspect and block requests containing suspicious file extensions in the POST parameters targeting the plugin\u0026rsquo;s upload endpoint (\u003ccode\u003e/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/upload.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious File Upload via Drag and Drop CF7\u003c/code\u003e to identify exploitation attempts in web server logs (cs-uri-query).\u003c/li\u003e\n\u003cli\u003eReview and harden \u003ccode\u003e.htaccess\u003c/code\u003e configurations to ensure that PHP execution is restricted in the \u003ccode\u003e/wp-content/uploads/\u003c/code\u003e directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-wordpress-plugin-upload/","summary":"The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.","title":"WordPress Drag and Drop File Upload Plugin Vulnerable to Arbitrary File Upload (CVE-2026-5364)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-plugin-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2022-50993"}],"_cs_exploited":false,"_cs_products":["E-office (\u003c 10.0_20221201)"],"_cs_severities":["critical"],"_cs_tags":["cve-2022-50993","file-upload","webshell","rce","e-office"],"_cs_type":"advisory","_cs_vendors":["Weaver"],"content_html":"\u003cp\u003eWeaver E-office, a web-based office automation system, is vulnerable to an unauthenticated arbitrary file upload vulnerability (CVE-2022-50993) affecting versions prior to 10.0_20221201. The vulnerability exists within the \u003ccode\u003eOfficeServer.php\u003c/code\u003e endpoint, allowing remote attackers to upload arbitrary files without authentication. This is achieved by sending multipart POST requests with manipulated filenames and content types. The Shadowserver Foundation observed initial exploitation evidence on October 10, 2022. Successful exploitation enables attackers to upload malicious PHP webshells to the Document directory and execute them via HTTP GET requests, leading to remote code execution on the affected server as the web server user. This can compromise the confidentiality, integrity, and availability of the E-office system and the underlying server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP POST request to the \u003ccode\u003eOfficeServer.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a multipart form with a file upload field.\u003c/li\u003e\n\u003cli\u003eThe attacker sets an arbitrary filename for the uploaded file, typically with a \u003ccode\u003e.php\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe attacker disguises the content type of the uploaded file to bypass basic server-side checks.\u003c/li\u003e\n\u003cli\u003eThe server saves the uploaded file (a PHP webshell) to the Document directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the uploaded PHP webshell file.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code within the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution as the web server user, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-50993 allows an unauthenticated attacker to execute arbitrary code on the affected Weaver E-office server. This can lead to complete system compromise, data theft, modification of sensitive data, and disruption of services. The vulnerability has a CVSS v3.1 base score of 9.8, indicating its critical severity. While the number of victims and specific sectors targeted are not detailed, organizations using vulnerable versions of Weaver E-office are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Weaver E-office to version 10.0_20221201 or later to patch CVE-2022-50993.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Weaver E-office Webshell Upload\u0026rdquo; to detect malicious PHP file uploads to the \u003ccode\u003eOfficeServer.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to the Document directory with \u003ccode\u003e.php\u003c/code\u003e extensions, indicative of webshell execution.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block suspicious POST requests to \u003ccode\u003eOfficeServer.php\u003c/code\u003e with arbitrary file upload attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-weaver-eoffice-upload/","summary":"Weaver E-office versions prior to 10.0_20221201 are vulnerable to unauthenticated arbitrary file upload in the OfficeServer.php endpoint, allowing attackers to upload PHP webshells and achieve remote code execution.","title":"Weaver E-office Unauthenticated Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-weaver-eoffice-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — File Upload","version":"https://jsonfeed.org/version/1.1"}