{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28133", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:18.579Z", "datePublished": "2026-03-05T05:54:31.266Z", "dateUpdated": "2026-04-28T16:15:09.431Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "filr-protection", "product": "Filr", "vendor": "WP Chill", "versions": [{"lessThanOrEqual": "1.2.14", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:45.741Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.<p>This issue affects Filr: from n/a through <= 1.2.14.</p>"}], "value": "Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.14."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:09.431Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/filr-protection/vulnerability/wordpress-filr-plugin-1-2-12-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress Filr plugin <= 1.2.14 - Arbitrary File Upload vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T20:58:58.598233Z", "id": "CVE-2026-28133", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:38:59.037Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28133", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T20:58:58.598233Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T16:00:25.217Z"}}], "cna": {"title": "WordPress Filr plugin <= 1.2.14 - Arbitrary File Upload vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WP Chill", "product": "Filr", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.14"}], "packageName": "filr-protection", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:51:45.741Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/filr-protection/vulnerability/wordpress-filr-plugin-1-2-12-arbitrary-file-upload-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.14.", "supportingMedia": [{"type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.<p>This issue affects Filr: from n/a through <= 1.2.14.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:56.598Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28133", "state": "PUBLISHED", "dateUpdated": "2026-04-28T13:38:59.037Z", "dateReserved": "2026-02-25T12:14:18.579Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:31.266Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.14."}, {"lang": "es", "value": "Vulnerabilidad de carga sin restricciones de archivo con tipo peligroso en WP Chill Filr filr-protection permite cargar un shell web a un servidor web. Este problema afecta a Filr: desde n/a hasta &lt;= 1.2.12."}], "id": "CVE-2026-28133", "lastModified": "2026-04-28T15:16:27.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-05T06:16:48.060", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/filr-protection/vulnerability/wordpress-filr-plugin-1-2-12-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.12]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Filr", "source": "cna", "vendor": "WP Chill"}, "product": "filr", "vendor": "wp_chill"}], "analysis": {"en": {"generated_at": "2026-04-29T00:51:15.578459+00:00", "value": {"mitigation_remediation": ["Upgrade the Filr plugin to a version that fixes the upload validation issue.", "If an upgrade is not possible, disable or delete the Filr plugin to eliminate the upload vector.", "If the plugin must remain, configure the web server or a WAF to block execution of uploaded files (e.g., deny PHP, .exe, or other executable extensions in the upload directory)."], "summary": {"action": "Immediate Update", "impact": "Arbitrary file upload allowing web shell deployment, leading to remote code execution"}, "threat_synthesis": {"affected_systems": "WP Chill Filr plugin, versions n/a through 1.2.14, installed on WordPress websites.", "description_and_impact": "The vulnerability permits an attacker to upload any file type, including executable web shells, to a WordPress site. This flaw originates from insufficient file type validation (CWE-434) and, if a malicious script is uploaded, can result in remote code execution, compromising the confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "With a CVSS score of 8.5, the flaw is considered high severity. The EPSS score of less than 1% suggests exploitation is currently unlikely, yet the presence of an unauthenticated upload interface indicates that a remote attacker could exploit it by simply sending a specially crafted request to the plugin\u2019s upload endpoint. The vulnerability is not listed in CISA\u2019s KEV catalog, but the potential for remote code execution warrants proactive mitigation."}}}}, "created": "2026-03-06T15:08:10.817528+00:00", "updated": "2026-04-29T01:00:11.355820+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp_chill", "wp_chill$PRODUCT$filr"]}