Executive Summary

CVE-2026-28133 is an Arbitrary File Upload vulnerability in the WordPress Filr Plugin (versions up to and including 1.2.12). It allows a malicious user with at least Contributor or Developer privileges to upload arbitrary files to the website.

This includes the ability to upload dangerous files such as web shells, which can be executed on the server to gain further unauthorized access.

The vulnerability is classified under OWASP Top 10 category A3: Injection and is considered a medium priority issue with a CVSS score of 8.5.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to upload malicious backdoors or web shells to your website, which can then be executed to gain unauthorized access and control over your web server.

Such unauthorized access can lead to data breaches, website defacement, service disruption, or further exploitation of your server and network.

Because exploitation requires at least Contributor or Developer privileges, the risk is higher if such user accounts are compromised or misused.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Mitigation Strategies

This vulnerability allows attackers with Contributor or Developer privileges to upload arbitrary files, including malicious backdoors, to your WordPress site using the Filr Plugin up to version 1.2.12.

Since no official patch is currently available, it is strongly advised to immediately apply the mitigation rule provided by Patchstack to block attacks exploiting this vulnerability.

Applying this mitigation will help protect your website until an official patch is released, tested, and safely applied.

Useful 0 Not Useful 0