CVE-2026-9227
Received Received - Intake
Arbitrary File Upload in GutenBee WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbee_file_and_ext_json function. This is due to a flawed strpos() substring check that only verifies whether the filename contains the string '.json' rather than confirming the filename ends with a .json extension, allowing double-extension filenames like shell.json.php to bypass validation. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9227
EUVD
EUVD-2026-32732
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cssigniter gutenbee to 2.20.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The GutenBee – Gutenberg Blocks plugin for WordPress has a vulnerability in versions up to 2.20.1 that allows arbitrary file uploads. This happens because the plugin's function meant to check file extensions only looks for the presence of the string '.json' anywhere in the filename, rather than ensuring the filename actually ends with '.json'.

As a result, attackers with author-level access or higher can upload files with double extensions like 'shell.json.php' that bypass the check. These files may be executable, enabling remote code execution on the affected system.

Impact Analysis

This vulnerability can have severe impacts because it allows authenticated users with author-level permissions or higher to upload potentially executable files to the server.

Such uploads can lead to remote code execution, meaning attackers could run malicious code on your server, potentially compromising the entire website, stealing data, defacing the site, or using the server for further attacks.

Detection Guidance

This vulnerability involves the upload of files with double extensions such as shell.json.php that bypass the flawed filename check in the GutenBee plugin. To detect potential exploitation attempts on your system or network, you can search for uploaded files or HTTP requests containing suspicious double extensions or filenames containing '.json' but ending with executable extensions like '.php'.

  • Use commands to find suspicious files on your server, for example: find /path/to/wordpress/wp-content/uploads -type f -name '*.json.php'
  • Check web server logs for POST requests to upload endpoints containing filenames with '.json' and additional extensions.
  • Monitor for authenticated users with author-level access or higher performing file uploads.
Mitigation Strategies

To mitigate this vulnerability immediately, update the GutenBee plugin to a version later than 2.20.1 where the vulnerability has been fixed by removing the flawed JSON upload whitelist code.

If updating is not immediately possible, restrict author-level and higher users from uploading files until a patch is applied.

Review and remove any suspicious uploaded files with double extensions that could be executable.

Apply web application firewall (WAF) rules to block uploads of files with double extensions or unexpected MIME types.

Compliance Impact

The vulnerability allows authenticated attackers with author-level access to upload potentially executable files, leading to remote code execution. This can compromise the confidentiality, integrity, and availability of data handled by the affected WordPress site.

Such a compromise can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations to prevent unauthorized access and data breaches.

However, the provided information does not explicitly detail the direct effects on compliance frameworks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9227. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart