Vendor
A critical arbitrary file upload vulnerability (CVE-2026-2354) exists in The Swiss Toolkit For WP plugin for WordPress, affecting all versions up to and including 1.4.6. The flaw, located in the `upload_extension_files()` function, allows authenticated attackers with Author-level access or higher to bypass file type validation due to an improper `strpos()` check, enabling the upload of arbitrary files, including PHP scripts, which can lead to remote code execution on the server if the "Enhanced Multi-Format Image Support" feature is active with at least one configured extension.