{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1730", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-31T19:01:42.116Z", "datePublished": "2026-02-03T07:31:24.084Z", "dateUpdated": "2026-04-08T17:20:20.702Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:20.702Z"}, "affected": [{"vendor": "skirridsystems", "product": "OS DataHub Maps", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c32ba2a0-a9a7-4f17-8169-912cecc40b7b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L67"}, {"url": "https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L51"}, {"url": "https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/os-datahub-maps.php?rev=3449192#L87"}, {"url": "https://plugins.trac.wordpress.org/changeset/3452323/os-datahub-maps"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Williwollo"}], "timeline": [{"time": "2026-02-02T15:25:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-02T18:50:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:44:52.960954Z", "id": "CVE-2026-1730", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:45:00.936Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1730", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T15:44:52.960954Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:44:57.355Z"}}], "cna": {"title": "OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Williwollo"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "skirridsystems", "product": "OS DataHub Maps", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-02T15:25:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-02T18:50:54.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c32ba2a0-a9a7-4f17-8169-912cecc40b7b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L67"}, {"url": "https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L51"}, {"url": "https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/os-datahub-maps.php?rev=3449192#L87"}, {"url": "https://plugins.trac.wordpress.org/changeset/3452323/os-datahub-maps"}], "descriptions": [{"lang": "en", "value": "The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:20.702Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1730", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:20:20.702Z", "dateReserved": "2026-01-31T19:01:42.116Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-03T07:31:24.084Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El plugin OS DataHub Maps para WordPress es vulnerable a cargas de archivos arbitrarias debido a una validaci\u00f3n incorrecta del tipo de archivo en la funci\u00f3n 'OS_DataHub_Maps_Admin::add_file_and_ext' en todas las versiones hasta la 1.8.3, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel de Autor y superior, carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2026-1730", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-03T08:16:15.180", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L51"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L67"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/os-datahub-maps.php?rev=3449192#L87"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3452323/os-datahub-maps"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c32ba2a0-a9a7-4f17-8169-912cecc40b7b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T17:30:59.461161+00:00", "value": {"mitigation_remediation": ["Update the OS DataHub Maps plugin to the latest available version that removes the improper file type validation.", "If an immediate update is not possible, disable or restrict the file upload feature so that only safely validated file types can be uploaded, such as by using WordPress file type restrictions or a dedicated security plugin.", "Review and limit user roles\u2014remove Author-level access from users who do not require it\u2014to reduce the number of accounts able to upload files."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the OS DataHub Maps plugin from skirridsystems, available in all WordPress installations up to and including version 1.8.3. Users who have installed any of these versions and have Author or higher role permissions are at risk.", "description_and_impact": "The OS DataHub Maps WordPress plugin suffers from incorrect file type validation in the function OS_DataHub_Maps_Admin::add_file_and_ext. This flaw allows an authenticated user with Author-level or higher access to upload any file type to the site\u2019s server. Once an attacker can place malicious files, they may achieve remote code execution by uploading a script or other exploitative payload. The flaw is identified as CWE\u2011434, which represents improper validation of file type or extension.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.8, indicating a high severity potential for remote code execution. The EPSS score is less than 1%, suggesting that, while the flaw is serious, it is currently unlikely to be widely exploited. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate access with Author-level privileges, making it a credentialed attack; thus, the primary risk lies with internal users who have sufficient permissions."}}}}, "created": "2026-02-04T12:14:56.471845+00:00", "updated": "2026-04-15T18:00:15.519191+00:00", "vendors": ["skirridsystems", "skirridsystems$PRODUCT$os_datahub_maps", "wordpress", "wordpress$PRODUCT$wordpress"]}