CVE-2026-1756
Unknown Unknown - Not Provided
Arbitrary File Upload in WP FOFT Loader Plugin Enables RCE

Publication date: 2026-02-04

Last updated on: 2026-02-04

Assigner: Wordfence

Description
The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-04
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1756
EUVD
EUVD-2026-5387
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence wp_foft_loader to 2.1.39 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP FOFT Loader plugin for WordPress has a vulnerability in its file type validation function called 'WP_FOFT_Loader_Mimes::file_and_ext'. This flaw allows authenticated users with Author-level access or higher to upload arbitrary files to the server because the plugin does not correctly verify the file types being uploaded.

Because of this improper validation, attackers can upload malicious files that could potentially be executed remotely on the affected server, leading to remote code execution.

Impact Analysis

This vulnerability can have serious impacts including unauthorized file uploads by users with Author-level access or above. Such uploads can lead to remote code execution on the server hosting the WordPress site.

Remote code execution can allow attackers to take control of the website, modify or delete data, deface the site, or use the server as a launchpad for further attacks.

Overall, this can compromise the confidentiality, integrity, and availability of the affected website and its data.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves arbitrary file uploads via the WP FOFT Loader plugin due to improper file type validation. Detection involves identifying unauthorized or suspicious file uploads, especially files with extensions other than the allowed .woff and .woff2 font files.

You can check your WordPress uploads directory for unexpected file types or recently uploaded files by users with Author-level access or higher.

  • Use commands to find suspicious files in the uploads directory, for example:
  • find /path/to/wordpress/wp-content/uploads -type f \! -name '*.woff' \! -name '*.woff2' -ls
  • Check recent uploads by users with Author or higher roles by reviewing WordPress logs or database entries related to media uploads.
  • Monitor web server logs for POST requests to the upload endpoints from authenticated users.
Mitigation Strategies

To mitigate this vulnerability, immediately update the WP FOFT Loader plugin to a version later than 2.1.39 where the file type validation issue has been fixed.

If an update is not immediately possible, restrict upload permissions to trusted users only and monitor uploads closely.

Additionally, consider implementing web application firewall (WAF) rules to block suspicious file uploads and scanning your server for any uploaded malicious files.

Review and harden file upload validation mechanisms to ensure only allowed MIME types and extensions (.woff and .woff2) are accepted.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1756. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart