CVE-2026-28133
Received Received - Intake

Unrestricted File Upload in WP Chill Filr Enables Remote Code Execution

Vulnerability report for CVE-2026-28133, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-05

Last updated on: 2026-04-28

Assigner: Patchstack

Description

Unrestricted Upload of File with Dangerous Type vulnerability in WP Chill Filr filr-protection allows Upload a Web Shell to a Web Server.This issue affects Filr: from n/a through <= 1.2.14.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-05
Last Modified
2026-04-28
Generated
2026-07-06
AI Q&A
2026-03-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_chill filr_protection to 1.2.12 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-28133 is an Arbitrary File Upload vulnerability in the WordPress Filr Plugin (versions up to and including 1.2.12). It allows a malicious user with at least Contributor or Developer privileges to upload arbitrary files to the website.

This includes the ability to upload dangerous files such as web shells, which can be executed on the server to gain further unauthorized access.

The vulnerability is classified under OWASP Top 10 category A3: Injection and is considered a medium priority issue with a CVSS score of 8.5.

Impact Analysis

This vulnerability can allow attackers to upload malicious backdoors or web shells to your website, which can then be executed to gain unauthorized access and control over your web server.

Such unauthorized access can lead to data breaches, website defacement, service disruption, or further exploitation of your server and network.

Because exploitation requires at least Contributor or Developer privileges, the risk is higher if such user accounts are compromised or misused.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

This vulnerability allows attackers with Contributor or Developer privileges to upload arbitrary files, including malicious backdoors, to your WordPress site using the Filr Plugin up to version 1.2.12.

Since no official patch is currently available, it is strongly advised to immediately apply the mitigation rule provided by Patchstack to block attacks exploiting this vulnerability.

Applying this mitigation will help protect your website until an official patch is released, tested, and safely applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart