What the vulnerability does
01Description
Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow remote code execution by uploading executable content to a web-accessible location.
Explanation of Vulnerability in Simple Terms
02Summary
Uploadify versions 1.0 and earlier allow unauthenticated attackers to upload files without restriction. An attacker can send a crafted upload request over the network to place arbitrary files on the server, potentially including executable code. No user interaction or special privileges are required to exploit this vulnerability.
What an attacker can do
03Attacker Capabilities
Upload arbitrary files to the server, including executable code or malware.
Potential impact on your site
04Site Impact
Attackers can upload malicious files and execute code on your site without logging in.
Conditions required to exploit
05Prerequisites
Network access to the Uploadify component; no authentication required.
Key dates
06Disclosure timeline
January 15, 2026
CVE published
May 14, 2026
Record updated