What the vulnerability does
01Description
WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the Products tab custom file field and access them via the upcp-product-file-uploads directory to execute arbitrary code on the server.
Explanation of Vulnerability in Simple Terms
02Summary
Ultimate Product Catalog versions 3.8.6 and later contain an authorization flaw that allows authenticated users to access or modify data they should not have permission to view or change. The vulnerability requires a valid user account but no additional user interaction. Site administrators should update to a patched version when available.
What an attacker can do
03Attacker Capabilities
Access or modify product catalog data beyond their assigned permissions.
Potential impact on your site
04Site Impact
Authenticated users can view or alter catalog content they shouldn't have access to, risking data integrity and confidentiality.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account on the site.
Key dates
06Disclosure timeline
June 15, 2026
CVE published
June 15, 2026
Record updated