What the vulnerability does
01Description
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.
Explanation of Vulnerability in Simple Terms
02Summary
Background Image Cropper contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files to the server over the network without user interaction. An attacker can upload malicious files, potentially including executable code, to compromise the site. The vulnerability affects version 1.2 and requires immediate patching.
What an attacker can do
03Attacker Capabilities
Upload arbitrary files to the server, potentially including malicious code or scripts.
Potential impact on your site
04Site Impact
Attackers can upload and execute malicious files, leading to full site compromise or data theft.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 8, 2026
CVE published
June 8, 2026
Record updated