{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28114", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:07.578Z", "datePublished": "2026-03-05T05:54:27.931Z", "dateUpdated": "2026-04-28T17:45:52.423Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "fs-license-manager", "product": "WooCommerce License Manager", "vendor": "firassaidi", "versions": [{"changes": [{"at": "7.0.7", "status": "unaffected"}], "lessThanOrEqual": "7.0.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:48.336Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.<p>This issue affects WooCommerce License Manager: from n/a through <= 7.0.6.</p>"}], "value": "Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.This issue affects WooCommerce License Manager: from n/a through <= 7.0.6."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:08.663Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/fs-license-manager/vulnerability/wordpress-woocommerce-license-manager-plugin-6-0-5-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress WooCommerce License Manager plugin <= 7.0.6 - Arbitrary File Upload vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T18:56:28.429504Z", "id": "CVE-2026-28114", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:45:52.423Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28114", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:07.578Z", "datePublished": "2026-03-05T05:54:27.931Z", "dateUpdated": "2026-04-28T17:45:52.423Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "fs-license-manager", "product": "WooCommerce License Manager", "vendor": "firassaidi", "versions": [{"changes": [{"at": "7.0.7", "status": "unaffected"}], "lessThanOrEqual": "7.0.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:48.336Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.<p>This issue affects WooCommerce License Manager: from n/a through <= 7.0.6.</p>"}], "value": "Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.This issue affects WooCommerce License Manager: from n/a through <= 7.0.6."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:08.663Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/fs-license-manager/vulnerability/wordpress-woocommerce-license-manager-plugin-6-0-5-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress WooCommerce License Manager plugin <= 7.0.6 - Arbitrary File Upload vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28114", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T18:56:28.429504Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T18:56:18.976Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.This issue affects WooCommerce License Manager: from n/a through <= 7.0.6."}, {"lang": "es", "value": "Vulnerabilidad de carga sin restricciones de archivo con tipo peligroso en firassaidi WooCommerce License Manager fs-license-manager permite cargar un shell web a un servidor web. Este problema afecta a WooCommerce License Manager: desde n/a hasta &lt;= 7.0.6."}], "id": "CVE-2026-28114", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:45.950", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/fs-license-manager/vulnerability/wordpress-woocommerce-license-manager-plugin-6-0-5-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.0.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WooCommerce License Manager", "source": "cna", "vendor": "firassaidi"}, "product": "woocommerce_license_manager", "vendor": "firassaidi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T04:47:57.553439+00:00", "value": {"mitigation_remediation": ["Update the WooCommerce License Manager plugin to a version newer than 7.0.6 or apply the vendor\u2019s official fix.", "Configure the upload handler to reject disallowed file types and only accept safe extensions (e.g., .png, .jpg), blocking .php and other executable extensions.", "Change the permissions of the directory used for uploads so it is not writable or executable by the web server user, preventing uploaded code from running."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via arbitrary file upload"}, "threat_synthesis": {"affected_systems": "The issue affects WordPress sites that host the WooCommerce License Manager (fs\u2011license\u2011manager) plugin developed by firassaidi. All installations running any release up to and including version 7.0.6 are susceptible; newer releases are presumed fixed.", "description_and_impact": "This vulnerability arises from an unrestricted upload mechanism in the WooCommerce License Manager plugin through version 7.0.6. An attacker can place any file on the server, including a web shell, which would allow unchecked execution of arbitrary code on the host. The weakness corresponds to CWE-434, representing an improper restriction of a file type uploaded to a system. The severity reflected by a CVSS score of 9.1 indicates that an exploitation yields full remote control of the affected web application, potentially compromising site data, credentials, and the underlying server.", "risk_and_exploitability": "The CVSS base score of 9.1 and a low but nonzero EPSS probability (<1%) suggest that, while the exploitation window may not be large, the consequence of exploitation is catastrophic. The vulnerability is not listed in the CISA KEV catalog, indicating it may not currently be actively exploited in the wild. Attackers would need access to the plugin\u2019s upload endpoint; based on the description, it is inferred that this endpoint may be limited to authenticated users with upload rights, yet the vulnerability description suggests that any interaction with the upload form could allow exploitation. Once a web shell is in place, the attacker can execute commands on the server, export data, or pivot further into the network. The combination of high severity, potential for remote command execution, and minimal protection measures warrants urgent remediation."}}}}, "created": "2026-03-06T15:08:25.664290+00:00", "updated": "2026-04-16T05:00:09.661385+00:00", "vendors": ["firassaidi", "firassaidi$PRODUCT$woocommerce_license_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}