CVE-2026-1730
Arbitrary File Upload in OS DataHub Maps Plugin Enables RCE
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | os_datahub_maps | to 1.8.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the OS DataHub Maps WordPress plugin (up to version 1.8.3) is due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function. This flaw allows authenticated users with Author-level access or higher to upload arbitrary files to the server. Because the plugin does not properly validate file extensions, attackers can upload potentially malicious files, which may lead to remote code execution on the affected site. [3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized file uploads by authenticated users, which can lead to remote code execution on the server hosting the WordPress site. This means attackers could execute malicious code, potentially compromising the entire website, stealing data, defacing the site, or using the server for further attacks. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the OS DataHub Maps plugin version is 1.8.3 or earlier, as these versions contain the vulnerable file upload validation. Since the vulnerability allows authenticated users with Author-level access or higher to upload arbitrary files, monitoring for unusual file uploads or unexpected file types in the plugin's upload directories can help detect exploitation attempts. Specific commands are not provided in the resources, but general approaches include: 1) Checking the plugin version in the WordPress admin dashboard or via command line by inspecting the plugin files. 2) Monitoring web server logs for POST requests to the plugin's file upload endpoints. 3) Searching for suspicious files uploaded to the server, especially those with unusual extensions or executable content. 4) Using WordPress CLI commands to list installed plugins and their versions (e.g., `wp plugin list`). [3, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the OS DataHub Maps plugin to version 1.8.4 or later, where the vulnerability has been fixed by improving file extension validation in the `add_file_and_ext` function. This update restricts uploads to only allowed file types, preventing arbitrary file uploads. Additionally, reviewing and restricting user permissions to limit Author-level access and above to trusted users can reduce risk. Monitoring and removing any suspicious files uploaded prior to the update is also recommended. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the OS DataHub Maps plugin allows authenticated users with Author-level access or higher to upload arbitrary files to the server, potentially leading to remote code execution. This could result in unauthorized access to sensitive data or system compromise.
Such unauthorized file uploads and potential remote code execution can undermine the security controls required by common standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive data against unauthorized access and breaches.
Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to increased risk of data breaches and loss of data integrity and confidentiality.