Executive Summary

CVE-2026-27067 is an Arbitrary File Upload vulnerability in the WordPress Mobile App Editor Plugin versions up to and including 1.3.1.

This vulnerability allows an attacker with Editor or Developer privileges to upload arbitrary files, including dangerous files like web shells, to a website.

Such uploaded files can be executed to gain unauthorized access or control over the web server.

It is classified under OWASP Top 10 A3: Injection and has a high severity score of 9.1, indicating it is a serious security issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to upload malicious backdoors or web shells to your website.

Once uploaded, these files can be executed to gain unauthorized access, potentially leading to full control over your web server.

This can result in data breaches, defacement, service disruption, or further exploitation of your website and server.

Because of its high severity and ease of exploitation, it poses a significant risk to website security.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Mitigation Strategies

This vulnerability allows an attacker with Editor or Developer privileges to upload arbitrary files, including malicious backdoors, to a website.

Since no official patch is currently available, users are advised to apply the mitigation rule issued by Patchstack that can block attacks exploiting this vulnerability until a patch is released.

• Apply the Patchstack mitigation rule to block exploit attempts.
• Update the Mobile App Editor plugin immediately once an official patch is released.
• Seek assistance from your hosting provider or web developer to help mitigate the risk.

Useful 0 Not Useful 0