The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the upload_extension_files() function in all versions up to, and including, 1.4.6. The upload_extension_files() function hooks into WordPress's wp_check_filetype_and_ext filter and uses strpos() to check if a filename contains a configured extension string, rather than verifying the actual file extension. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files (including PHP) on the affected site's server which may make remote code execution possible, granted the "Enhanced Multi-Format Image Support" feature is enabled with at least one extension (e.g., avif) in the allowed formats.
CVE-2026-2354
Score 8.8 from GitHub Security Advisory (severity: HIGH) published 2026-07-11. a secondary CVSS source baseline 8.8; sources differ by 0.0.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.8
- EG Score
- 8.8(high)
- EPSS
- 42.3%
- KEV
- Not listed
Published
July 11, 2026
Last Modified
July 13, 2026
References (5)
- security@wordfencehttps://plugins.trac.wordpress.org/browser/swiss-toolkit-for-wp/tags/1.4.2/includes/plugins/class-boomdevs-swiss-toolkit-extension-supports.php#L49
- security@wordfencehttps://plugins.trac.wordpress.org/browser/swiss-toolkit-for-wp/tags/1.4.2/includes/plugins/class-boomdevs-swiss-toolkit-extension-supports.php#L95
- security@wordfencehttps://plugins.trac.wordpress.org/browser/swiss-toolkit-for-wp/trunk/includes/plugins/class-boomdevs-swiss-toolkit-extension-supports.php#L49
- security@wordfencehttps://plugins.trac.wordpress.org/browser/swiss-toolkit-for-wp/trunk/includes/plugins/class-boomdevs-swiss-toolkit-extension-supports.php#L95
- security@wordfencehttps://www.wordfence.com/threat-intel/vulnerabilities/id/06bccd2e-6891-433a-9f5b-3ec0c30afef4?source=cve
Vendor Advisories for CVE-2026-2354(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 22× in last 7d / 22× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-14 22:11 UTCEG score recompute
- 2026-07-14 22:11 UTCGHSA enrichment
- 2026-07-14 09:23 UTCEG score recompute
- 2026-07-14 09:23 UTCGHSA enrichment
- 2026-07-13 22:30 UTCEPSS rescore
- 2026-07-13 20:34 UTCEG score recompute
- 2026-07-13 20:34 UTCGHSA enrichment
- 2026-07-13 07:48 UTCEG score recompute
- 2026-07-13 07:48 UTCGHSA enrichment
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-12 19:01 UTCEG score recompute
- 2026-07-12 19:01 UTCGHSA enrichment
- 2026-07-12 06:14 UTCEG score recompute
- 2026-07-12 06:14 UTCGHSA enrichment
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 17:25 UTCEG score recompute
- 2026-07-11 17:25 UTCGHSA enrichment
- 2026-07-11 04:38 UTCEG score recompute
- 2026-07-11 04:37 UTCMITRE cvelistV5first tracked
Related CVEs(same CWE)
Same CWE
10 shownCWE-434
Frequently asked(5)
What is CVE-2026-2354?
When was CVE-2026-2354 disclosed?
Is CVE-2026-2354 actively exploited?
What is the CVSS score of CVE-2026-2354?
How do I remediate CVE-2026-2354?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-2354
Is Your Infrastructure Affected by CVE-2026-2354?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.