CVE-2026-9227
Arbitrary File Upload in GutenBee WordPress Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cssigniter | gutenbee | to 2.20.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The GutenBee β Gutenberg Blocks plugin for WordPress has a vulnerability in versions up to 2.20.1 that allows arbitrary file uploads. This happens because the plugin's function meant to check file extensions only looks for the presence of the string '.json' anywhere in the filename, rather than ensuring the filename actually ends with '.json'.
As a result, attackers with author-level access or higher can upload files with double extensions like 'shell.json.php' that bypass the check. These files may be executable, enabling remote code execution on the affected system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows authenticated users with author-level permissions or higher to upload potentially executable files to the server.
Such uploads can lead to remote code execution, meaning attackers could run malicious code on your server, potentially compromising the entire website, stealing data, defacing the site, or using the server for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the upload of files with double extensions such as shell.json.php that bypass the flawed filename check in the GutenBee plugin. To detect potential exploitation attempts on your system or network, you can search for uploaded files or HTTP requests containing suspicious double extensions or filenames containing '.json' but ending with executable extensions like '.php'.
- Use commands to find suspicious files on your server, for example: find /path/to/wordpress/wp-content/uploads -type f -name '*.json.php'
- Check web server logs for POST requests to upload endpoints containing filenames with '.json' and additional extensions.
- Monitor for authenticated users with author-level access or higher performing file uploads.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the GutenBee plugin to a version later than 2.20.1 where the vulnerability has been fixed by removing the flawed JSON upload whitelist code.
If updating is not immediately possible, restrict author-level and higher users from uploading files until a patch is applied.
Review and remove any suspicious uploaded files with double extensions that could be executable.
Apply web application firewall (WAF) rules to block uploads of files with double extensions or unexpected MIME types.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with author-level access to upload potentially executable files, leading to remote code execution. This can compromise the confidentiality, integrity, and availability of data handled by the affected WordPress site.
Such a compromise can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations to prevent unauthorized access and data breaches.
However, the provided information does not explicitly detail the direct effects on compliance frameworks.