CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,080 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 44 of 82
- CVE-2023-5490HIGHCVSS 8.8EG 6.32023-10-10
A vulnerability classified as critical was found in Byzoro Smart S45F Multi-Service Secure Gateway Intelligent Management Platform up to 20230928. This vulnerability affects unknown code of the file /useratte/userattestation.php. The manip…
- CVE-2023-5491HIGHCVSS 8.8EG 6.32023-10-10
A vulnerability, which was classified as critical, has been found in Byzoro Smart S45F Multi-Service Secure Gateway Intelligent Management Platform up to 20230928. This issue affects some unknown processing of the file /sysmanage/updatelib…
- CVE-2023-5492HIGHCVSS 8.8EG 6.32023-10-10
A vulnerability, which was classified as critical, was found in Byzoro Smart S45F Multi-Service Secure Gateway Intelligent Management Platform up to 20230928. Affected is an unknown function of the file /sysmanage/licence.php. The manipula…
- CVE-2023-5493HIGHCVSS 8.8EG 6.32023-10-10
A vulnerability has been found in Byzoro Smart S45F Multi-Service Secure Gateway Intelligent Management Platform up to 20230928 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /useratte/we…
- CVE-2023-5524HIGHCVSS 7.3EG 8.22023-10-20
Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution via specific file types
- CVE-2023-5601CRITICALCVSS 9.8EG 9.82023-11-06
The WooCommerce Ninja Forms Product Add-ons WordPress plugin before 1.7.1 does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE.
- CVE-2023-5604CRITICALCVSS 9.8EG 9.82023-11-27
The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), po…
- CVE-2023-5636CRITICALCVSS 9.8EG 9.82023-12-01
Unrestricted Upload of File with Dangerous Type vulnerability in ArslanSoft Education Portal allows Command Injection. This issue affects Education Portal: before v1.1.
- CVE-2023-5637HIGHCVSS 7.5EG 7.52023-12-01
Unrestricted Upload of File with Dangerous Type vulnerability in ArslanSoft Education Portal allows Read Sensitive Strings Within an Executable. This issue affects Education Portal: before v1.1.
- CVE-2023-5673HIGHCVSS 8.8EG 8.82023-12-26
The WP Mail Log WordPress plugin before 1.1.3 does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution.
- CVE-2023-5790CRITICALCVSS 9.8EG 6.32023-10-26
A vulnerability classified as critical was found in SourceCodester File Manager App 1.0. Affected by this vulnerability is an unknown functionality of the file endpoint/add-file.php. The manipulation of the argument uploadedFileName leads …
- CVE-2023-5795HIGHCVSS 8.8EG 6.32023-10-26
A vulnerability was found in CodeAstro POS System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /profil of the component Profile Picture Handler. The manipulation leads to unr…
- CVE-2023-5796HIGHCVSS 8.8EG 6.32023-10-26
A vulnerability was found in CodeAstro POS System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /setting of the component Logo Handler. The manipulation leads to unrestricted upload. T…
- CVE-2023-5812HIGHCVSS 8.8EG 4.72023-10-27
A vulnerability has been found in flusity CMS and classified as critical. Affected by this vulnerability is the function handleFileUpload of the file core/tools/upload.php. The manipulation of the argument uploaded_file leads to unrestrict…
- CVE-2023-5822CRITICALCVSS 9.8EG 8.12023-11-22
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3…
- CVE-2023-5829HIGHCVSS 8.8EG 6.32023-10-27
A vulnerability was found in code-projects Admission Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file student_avatar.php. The manipulation leads to unrestricted upload. …
- CVE-2023-5860HIGHCVSS 7.2EG 7.22023-11-02
The Icons Font Loader plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, …
- CVE-2023-5901MEDIUMCVSS 4.8EG 4.82023-11-07
Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
- CVE-2023-5919HIGHCVSS 7.2EG 4.72023-11-02
A vulnerability was found in SourceCodester Company Website CMS 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /dashboard/createblog of the component Create Blog Page. The manipulation l…
- CVE-2023-5931HIGHCVSS 8.8EG 8.82023-12-26
The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 does not validate files to be uploaded, which could allow attackers with a low-privilege account (e.g. subscribers) to upload arbitrary files such as PHP on t…
- CVE-2023-5953HIGHCVSS 8.8EG 8.82023-12-04
The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber c…
- CVE-2023-5957HIGHCVSS 7.2EG 7.22024-01-08
The Ni Purchase Order(PO) For WooCommerce WordPress plugin through 1.2.1 does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RC…
- CVE-2023-5965HIGHCVSS 7.2EG 9.12023-11-30
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution.
- CVE-2023-5966HIGHCVSS 7.2EG 9.12023-11-30
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution.
- CVE-2023-6090CRITICALCVSS 9.1EG 9.12024-02-29
Unrestricted Upload of File with Dangerous Type vulnerability in Mollie Mollie Payments for WooCommerce.This issue affects Mollie Payments for WooCommerce: from n/a through 7.3.11.
- CVE-2023-6091HIGHCVSS 7.2EG 7.22024-03-26
Unrestricted Upload of File with Dangerous Type vulnerability in mndpsingh287 Theme Editor.This issue affects Theme Editor: from n/a through 2.7.1.
- CVE-2023-6102CRITICALCVSS 9.8EG 5.32023-11-13
A vulnerability, which was classified as problematic, was found in Maiwei Safety Production Control Platform 4.1. Affected is an unknown function of the file /Content/Plugins/uploader/FileChoose.html?fileUrl=/Upload/File/Pics/&parent. The …
- CVE-2023-6127MEDIUMCVSS 5.4EG 5.42023-11-14
Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
- CVE-2023-6133MEDIUMCVSS 4.9EG 6.62023-11-15
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated…
- CVE-2023-6140HIGHCVSS 8.8EG 8.82024-01-08
The Essential Real Estate WordPress plugin before 4.4.0 does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code e…
- CVE-2023-6187HIGHCVSS 8.8EG 7.52023-11-18
The Paid Memberships Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'pmpro_paypalexpress_session_vars_for_user_fields' function in versions up to, and including, 2.12.3. Thi…
- CVE-2023-6219HIGHCVSS 7.2EG 7.22023-11-28
The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'bookingpress_process_upload' function in versions up to, and including, 1.0.76. This makes it possible for authentica…
- CVE-2023-6220HIGHCVSS 8.1EG 8.12024-01-11
The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'piotnetforms_ajax_form_builder' function in versions up to, and including, 1.0.28. This makes it possible for u…
- CVE-2023-6274CRITICALCVSS 9.8EG 6.32023-11-24
A vulnerability was found in Byzoro Smart S80 up to 20231108. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /sysmanage/updatelib.php of the component PHP File Handler. The manipula…
- CVE-2023-6308HIGHCVSS 8.8EG 6.32023-11-27
A vulnerability, which was classified as critical, has been found in Xiamen Four-Faith Video Surveillance Management System 2016/2017. Affected by this issue is some unknown functionality of the component Apache Struts. The manipulation le…
- CVE-2023-6316CRITICALCVSS 9.8EG 9.82024-01-11
The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated …
- CVE-2023-6449HIGHCVSS 7.2EG 6.62023-12-01
The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up t…
- CVE-2023-6551MEDIUMCVSS 5.4EG 6.52024-01-04
As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. Developers must be aware of that fact and use extension whitelisting…
- CVE-2023-6558HIGHCVSS 7.2EG 7.22024-01-11
The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'upload_import_file' function in versions up to, and including, 2.4.8. This makes it pos…
- CVE-2023-6562HIGHCVSS 7.5EG 7.52023-12-20
JPX Fragment List (flst) box vulnerability in Kakadu 7.9 allows an attacker to exfiltrate local and remote files reachable by a server if the server allows the attacker to upload a specially-crafted the image that is displayed back to the …
- CVE-2023-6574HIGHCVSS 8.8EG 6.32023-12-07
A vulnerability was found in Byzoro Smart S20 up to 20231120 and classified as critical. Affected by this issue is some unknown functionality of the file /sysmanage/updateos.php of the component HTTP POST Request Handler. The manipulation …
- CVE-2023-6576HIGHCVSS 8.8EG 6.32023-12-07
A vulnerability was found in Byzoro S210 up to 20231123. It has been declared as critical. This vulnerability affects unknown code of the file /Tool/uploadfile.php of the component HTTP POST Request Handler. The manipulation of the argumen…
- CVE-2023-6635HIGHCVSS 7.2EG 7.22024-02-05
The EditorsKit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'import_styles' function in versions up to, and including, 1.40.3. This makes it possible for authenticated attackers wi…
- CVE-2023-6636HIGHCVSS 7.2EG 7.22024-01-11
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'gspb_save_files' function in versions up to, and including, 7.6.2. This makes it …
- CVE-2023-6675CRITICALCVSS 9.8EG 9.82024-02-02
Unrestricted Upload of File with Dangerous Type vulnerability in National Keep Cyber Security Services CyberMath allows Upload a Web Shell to a Web Server. This issue affects CyberMath: from v.1.4 before v.1.5.
- CVE-2023-6723CRITICALCVSS 9.8EG 10.02023-12-13
An unrestricted file upload vulnerability has been identified in Repbox, which allows an attacker to upload malicious files via the transforamationfileupload function, due to the lack of proper file type validation controls, resulting in a…
- CVE-2023-6794MEDIUMCVSS 4.7EG 5.52023-12-13
An arbitrary file upload vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and potentially execute arbitrary code with limited…
- CVE-2023-6826HIGHCVSS 7.2EG 7.22023-12-15
The E2Pdf plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'import_action' function in versions up to, and including, 1.20.25. This makes it possible for authenticated attackers w…
- CVE-2023-6827HIGHCVSS 8.8EG 7.52023-12-15
The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'ajaxUploadFonts' function in versions up to, and including, 4.3.5. This makes it possible for authentic…
- CVE-2023-6846HIGHCVSS 8.8EG 8.82024-02-05
The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mk_check_filemanager_php_syntax AJAX function. This makes it possible for authenticated attackers, with su…
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →