{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1756", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-02T10:22:57.700Z", "datePublished": "2026-02-04T06:42:37.451Z", "dateUpdated": "2026-04-08T17:24:32.763Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:32.763Z"}, "affected": [{"vendor": "seezee", "product": "WP FOFT Loader", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.39", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "WP FOFT Loader <= 2.1.39 - Authenticated (Author+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cede8ff5-f739-4eb3-9672-5adb5d2ae0a9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L31"}, {"url": "https://plugins.trac.wordpress.org/changeset/3453101/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Williwollo"}], "timeline": [{"time": "2026-02-02T18:26:36.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-03T17:31:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:59:26.260663Z", "id": "CVE-2026-1756", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:59:57.807Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1756", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T16:59:26.260663Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:59:54.618Z"}}], "cna": {"title": "WP FOFT Loader <= 2.1.39 - Authenticated (Author+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Williwollo"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "seezee", "product": "WP FOFT Loader", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.39"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-02T18:26:36.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-03T17:31:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cede8ff5-f739-4eb3-9672-5adb5d2ae0a9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L31"}, {"url": "https://plugins.trac.wordpress.org/changeset/3453101/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php"}], "descriptions": [{"lang": "en", "value": "The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:32.763Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1756", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:32.763Z", "dateReserved": "2026-02-02T10:22:57.700Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-04T06:42:37.451Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El plugin WP FOFT Loader para WordPress es vulnerable a la carga arbitraria de archivos debido a una validaci\u00f3n incorrecta del tipo de archivo en la funci\u00f3n 'WP_FOFT_Loader_Mimes::file_and_ext' en todas las versiones hasta la 2.1.39, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Autor o superior, cargar archivos arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2026-1756", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-04T07:15:59.267", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L45"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3453101/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cede8ff5-f739-4eb3-9672-5adb5d2ae0a9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:52:24.122191+00:00", "value": {"mitigation_remediation": ["Upgrade WP FOFT Loader to a version newer than 2.1.39 to apply the vendor\u2011released fix for the file type validation bug. ", "If an upgrade is not immediately possible, restrict or disable the Author capability to upload files, or temporarily deactivate the plugin to prevent the upload functionality. ", "Implement additional server\u2011side validation or a security plugin that blocks disallowed file types and monitors for uploaded files to mitigate the exploitation risk."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file upload with potential remote code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites using the WP FOFT Loader plugin from the vendor seezee. Any installation of the plugin up to and including version 2.1.39 is susceptible. Sites that have not upgraded beyond this version remain at risk.", "description_and_impact": "The WP FOFT Loader plugin allows authenticated users with Author-level access to upload files to the server without proper type validation. This flaw can be leveraged to place malicious files on the site, creating a pathway for remote code execution. The weakness is a classic example of invalid file type validation (CWE-434). The result is a compromise of integrity and the possibility of executing arbitrary code on the host. The impact is immediate and severe, affecting both confidentiality and availability if the attacker gains further access.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The attack vector is authenticated; an attacker must have Author or higher access to the WordPress site to exploit the flaw. Once authenticated, the attacker can upload arbitrary files, potentially leading to remote code execution if other conditions are satisfied."}}}}, "created": "2026-02-04T21:18:24.430348+00:00", "updated": "2026-04-15T19:00:12.284224+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}