Work The Flow File Upload <= 2.5.2 - Arbitrary File Upload

July 19, 2025 invoker category_cve

CVE Details

Basic Information

Title Work The Flow File Upload <= 2.5.2 - Arbitrary File Upload
Type cve
Published 2025-07-19T11:23:38.202Z
Modified 2025-07-19T11:23:38.202Z

Product Information

Vendor lynton_reed
Product Work The Flow File Upload
Version *

CVSS Information

Base Score 9.8 (CRITICAL)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Analysis

AI Description The Work The Flow File Upload plugin for WordPress allows unauthorized file uploads due to insufficient validation, potentially enabling remote code execution.
AI Severity High
AI Vendor WordPress Community
AI Product Work The Flow File Upload
AI Version 2.5.2

Affected Products

  • lynton_reed Work The Flow File Upload *

Additional Information

CWE List CWE-434
Source Wordfence

Description

The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.