WordPress File Upload

Wordfence Intelligence   >   Vulnerability Database   >   WordPress Plugins   >   WordPress File Upload

Information

Software Type Plugin
Software Slug wp-file-upload (view on wordpress.org)
Software Status Removed
Software Author nickboss
Software Website www.iptanus.com
Software Downloads 1,381,352
Software Active Installs 20,000
Software Record Last Updated April 2, 2025

Showing 1-20 of 30 Vulnerabilities

Submit a Vulnerability
WordPress File Upload <= 4.25.2 - Cross-Site Request Forgery in wfu_file_details
4.3
CVE-2024-13494
Feb 24, 2025
Researcher: Tim Coen
WordPress File Upload <= 4.24.12 - Unuathenticated Remote Code Execution
9.8
CVE-2024-11635
Jan 7, 2025
Researcher: abrahack
WordPress File Upload <= 4.24.15 - Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion
9.8
CVE-2024-11613
Jan 7, 2025
Researcher: abrahack
WordPress File Upload <= 4.24.13 - Unauthenticated Path Traversal to Arbitrary File Read in wfu_file_downloader.php
7.5
CVE-2024-9939
Jan 7, 2025
Researcher: abrahack
WordPress File Upload <= 4.24.15 - Missing Authorization to Authenticated (Subscriber+) Limited Path Traversal
4.3
CVE-2024-12719
Jan 6, 2025
Researcher: Lucio Sá
WordPress File Upload <= 4.24.11 - Unauthenticated Path Traversal to Arbitrary File Read and Deletion in wfu_file_downloader.php
9.8
CVE-2024-9047
Oct 11, 2024
Researcher: Arkadiusz Hydzik
WordPress File Upload <= 4.24.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
7.2
CVE-2024-7301
Aug 15, 2024
Researcher: wesley (wcraft)
WordPress File Upload <= 4.24.7 - Missing Authorization
5.4
CVE-2024-39639
Aug 1, 2024
Researcher: emad
WordPress File Upload <= 4.24.7 - Unauthenticated Stored Cross-Site Scripting
7.2
CVE-2024-6494
Jul 16, 2024
Researcher: Majdeddine Ben Hadj Brahim
WordPress File Upload <= 4.24.7 - Reflected Cross-Site Scripting
6.1
CVE-2024-6651
Jul 16, 2024
Researcher: Đức Tài
WordPress File Upload <= 4.24.7 - Authenticated (Contributor+) Directory Traversal
4.3
CVE-2024-5852
Jul 15, 2024
Researcher: Colin Xu
WordPress File Upload <= 4.24.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
6.4
CVE-2024-2847
Mar 29, 2024
Researcher: Krzysztof Zając
Wordpress File Upload 4.24.0 - Cross-Site Request Forgery
4.3
CVE ID Unknown
Nov 14, 2023
Researchers:
Wordpress File Upload <= 4.23.2 - Authenticated(Administrator+) Stored Cross-Site Scripting
4.4
CVE-2023-4811
Sep 12, 2023
Researcher: FAIYAZ AHMAD
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Path Traversal
4.9
CVE-2023-2688
May 23, 2023
Researcher: Marco Wotschka
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
4.4
CVE-2023-2767
May 23, 2023
Researcher: Marco Wotschka
WordPress File Upload <= 4.16.3 - Cross-Site Scripting
5.4
CVE ID Unknown
May 15, 2022
Researchers:
WordPress File Upload / WordPress File Upload Pro <= 4.16.2 - Authenticated (Contributor+) Path Traversal
6.5
CVE-2021-24962
Mar 1, 2022
Researcher: apple502j
WordPress File Upload <= 4.16.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Malicious SVG
5.4
CVE-2021-24960
Feb 14, 2022
Researcher: apple502j
WordPress File Upload <= 4.16.2 - Authenticated Stored Cross-Site Scripting via Shortcode
5.4
CVE-2021-24961
Feb 14, 2022
Researcher: apple502j
Title Status CVE ID CVSS Researchers Date
WordPress File Upload <= 4.25.2 - Cross-Site Request Forgery in wfu_file_details Patched CVE-2024-13494 4.3 Tim Coen February 24, 2025
WordPress File Upload <= 4.24.12 - Unuathenticated Remote Code Execution Patched CVE-2024-11635 9.8 abrahack January 7, 2025
WordPress File Upload <= 4.24.15 - Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion Patched CVE-2024-11613 9.8 abrahack January 7, 2025
WordPress File Upload <= 4.24.13 - Unauthenticated Path Traversal to Arbitrary File Read in wfu_file_downloader.php Patched CVE-2024-9939 7.5 abrahack January 7, 2025
WordPress File Upload <= 4.24.15 - Missing Authorization to Authenticated (Subscriber+) Limited Path Traversal Patched CVE-2024-12719 4.3 Lucio Sá January 6, 2025
WordPress File Upload <= 4.24.11 - Unauthenticated Path Traversal to Arbitrary File Read and Deletion in wfu_file_downloader.php Patched CVE-2024-9047 9.8 Arkadiusz Hydzik October 11, 2024
WordPress File Upload <= 4.24.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload Patched CVE-2024-7301 7.2 wesley (wcraft) August 15, 2024
WordPress File Upload <= 4.24.7 - Missing Authorization Patched CVE-2024-39639 5.4 emad August 1, 2024
WordPress File Upload <= 4.24.7 - Unauthenticated Stored Cross-Site Scripting Patched CVE-2024-6494 7.2 Majdeddine Ben Hadj Brahim July 16, 2024
WordPress File Upload <= 4.24.7 - Reflected Cross-Site Scripting Patched CVE-2024-6651 6.1 Đức Tài July 16, 2024
WordPress File Upload <= 4.24.7 - Authenticated (Contributor+) Directory Traversal Patched CVE-2024-5852 4.3 Colin Xu July 15, 2024
WordPress File Upload <= 4.24.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Patched CVE-2024-2847 6.4 Krzysztof Zając March 29, 2024
Wordpress File Upload 4.24.0 - Cross-Site Request Forgery Patched 4.3 November 14, 2023
Wordpress File Upload <= 4.23.2 - Authenticated(Administrator+) Stored Cross-Site Scripting Patched CVE-2023-4811 4.4 FAIYAZ AHMAD September 12, 2023
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Path Traversal Patched CVE-2023-2688 4.9 Marco Wotschka May 23, 2023
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Patched CVE-2023-2767 4.4 Marco Wotschka May 23, 2023
WordPress File Upload <= 4.16.3 - Cross-Site Scripting Patched 5.4 May 15, 2022
WordPress File Upload / WordPress File Upload Pro <= 4.16.2 - Authenticated (Contributor+) Path Traversal Patched CVE-2021-24962 6.5 apple502j March 1, 2022
WordPress File Upload <= 4.16.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Malicious SVG Patched CVE-2021-24960 5.4 apple502j February 14, 2022
WordPress File Upload <= 4.16.2 - Authenticated Stored Cross-Site Scripting via Shortcode Patched CVE-2021-24961 5.4 apple502j February 14, 2022

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

This site uses cookies in accordance with our Privacy Policy.