CVE-2026-1756
Arbitrary File Upload in WP FOFT Loader Plugin Enables RCE
Publication date: 2026-02-04
Last updated on: 2026-02-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wp_foft_loader | to 2.1.39 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP FOFT Loader plugin for WordPress has a vulnerability in its file type validation function called 'WP_FOFT_Loader_Mimes::file_and_ext'. This flaw allows authenticated users with Author-level access or higher to upload arbitrary files to the server because the plugin does not correctly verify the file types being uploaded.
Because of this improper validation, attackers can upload malicious files that could potentially be executed remotely on the affected server, leading to remote code execution.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized file uploads by users with Author-level access or above. Such uploads can lead to remote code execution on the server hosting the WordPress site.
Remote code execution can allow attackers to take control of the website, modify or delete data, deface the site, or use the server as a launchpad for further attacks.
Overall, this can compromise the confidentiality, integrity, and availability of the affected website and its data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves arbitrary file uploads via the WP FOFT Loader plugin due to improper file type validation. Detection involves identifying unauthorized or suspicious file uploads, especially files with extensions other than the allowed .woff and .woff2 font files.
You can check your WordPress uploads directory for unexpected file types or recently uploaded files by users with Author-level access or higher.
- Use commands to find suspicious files in the uploads directory, for example:
- find /path/to/wordpress/wp-content/uploads -type f \! -name '*.woff' \! -name '*.woff2' -ls
- Check recent uploads by users with Author or higher roles by reviewing WordPress logs or database entries related to media uploads.
- Monitor web server logs for POST requests to the upload endpoints from authenticated users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WP FOFT Loader plugin to a version later than 2.1.39 where the file type validation issue has been fixed.
If an update is not immediately possible, restrict upload permissions to trusted users only and monitor uploads closely.
Additionally, consider implementing web application firewall (WAF) rules to block suspicious file uploads and scanning your server for any uploaded malicious files.
Review and harden file upload validation mechanisms to ensure only allowed MIME types and extensions (.woff and .woff2) are accepted.