{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4808", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-25T12:34:19.415Z", "datePublished": "2026-04-08T06:43:40.185Z", "dateUpdated": "2026-04-08T17:04:59.542Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:59.542Z"}, "affected": [{"vendor": "tidevapps", "product": "Gerador de Certificados \u2013 DevApps", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Gerador de Certificados \u2013 DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Gerador de Certificados \u2013 DevApps <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/870bf5fe-00c6-48fe-b9e6-e8233c689b71?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gerador-de-certificados-devapps/trunk/admin/class-devapps-certificate-generator-admin.php#L346"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-02-02T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-04-07T17:37:58.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:18:58.843198Z", "id": "CVE-2026-4808", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:19:13.999Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4808", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T14:18:58.843198Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:19:09.594Z"}}], "cna": {"title": "Gerador de Certificados \u2013 DevApps <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "tidevapps", "product": "Gerador de Certificados \u2013 DevApps", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-02T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-04-07T17:37:58.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/870bf5fe-00c6-48fe-b9e6-e8233c689b71?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gerador-de-certificados-devapps/trunk/admin/class-devapps-certificate-generator-admin.php#L346"}], "descriptions": [{"lang": "en", "value": "The Gerador de Certificados \u2013 DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T06:43:40.185Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4808", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:19:13.999Z", "dateReserved": "2026-03-25T12:34:19.415Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T06:43:40.185Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gerador de Certificados \u2013 DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "id": "CVE-2026-4808", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:22.517", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gerador-de-certificados-devapps/trunk/admin/class-devapps-certificate-generator-admin.php#L346"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/870bf5fe-00c6-48fe-b9e6-e8233c689b71?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Gerador de Certificados \u2013 DevApps", "source": "cna", "vendor": "tidevapps"}, "product": "gerador_de_certificados_\u2013_devapps", "vendor": "tidevapps"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T08:22:56.295688+00:00", "value": {"mitigation_remediation": ["Upgrade the Gerador de Certificados \u2013 DevApps plugin to version 1.3.7 or later, if available.", "If no newer version exists, consider uninstalling the plugin until a patch is released.", "Ensure that only trusted administrators have access to the WordPress admin area, and enforce least\u2011privilege principles.", "As an interim measure, restrict the maximum upload size and configure the server to block execution of uploaded files in the upload directory."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Gerador de Certificados \u2013 DevApps from the vendor tidevapps, in all releases up to and including version 1.3.6. Users running these or earlier versions are exposed.", "description_and_impact": "The plugin Gerador de Certificados \u2013 DevApps for WordPress contains an arbitrary file upload vulnerability because the moveUploadedFile() function does not validate file types. Attackers who can authenticate with Administrator or higher privileges can upload any file to the server, and by placing a web\u2011accessible script, may achieve remote code execution. The flaw represents a classic file upload weakness (CWE\u2011434) and compromises the integrity and potential confidentiality of the site.", "risk_and_exploitability": "The CVSS base score of 7.2 indicates a moderate to high severity when the conditions are met. The exploit requires authenticated access with Administrator privileges, making the attack vector internal and limited to privileged users. No public exploit indicators or KEV listing are currently available, and EPSS data is missing, so the likelihood of exploitation today is uncertain, but the potential for serious impact remains if an administrator can be coerced or compromised."}}}}, "created": "2026-04-08T19:31:08.833500+00:00", "updated": "2026-04-08T19:43:42.235821+00:00", "vendors": ["tidevapps", "tidevapps$PRODUCT$gerador_de_certificados_\u2013_devapps", "wordpress", "wordpress$PRODUCT$wordpress"]}