CVE-2016-20075
Deferred Deferred - Pending Action

Arbitrary File Upload in WordPress Ultimate Product Catalog

Vulnerability report for CVE-2016-20075, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulnCheck

Description

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the Products tab custom file field and access them via the upcp-product-file-uploads directory to execute arbitrary code on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpultimateproductcatalog ultimate_product_catalog to 3.8.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users with certain roles to upload malicious files and execute arbitrary code on the server, which can lead to unauthorized access and potential data breaches.

Such unauthorized access and potential compromise of server integrity can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system access.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Executive Summary

CVE-2016-20075 is an arbitrary file upload vulnerability in the WordPress Ultimate Product Catalog plugin version 3.8.6 and earlier.

Authenticated users with roles such as contributor, editor, author, or administrator can exploit the plugin's custom fields feature to upload malicious files, specifically PHP shells.

These malicious files are uploaded through the Products tab custom file field and stored in the "upcp-product-file-uploads" directory, allowing attackers to access and execute arbitrary code on the server.

The vulnerability arises because the plugin's code fails to properly validate file extensions, enabling attackers to bypass security controls.

Impact Analysis

This vulnerability allows attackers with certain authenticated roles to upload malicious PHP files that can be executed on the server.

Successful exploitation can lead to remote code execution (RCE), which means attackers can run arbitrary commands or code on the affected server.

This can result in full compromise of the server, including data theft, data manipulation, service disruption, or using the server as a foothold for further attacks.

Detection Guidance

This vulnerability can be detected by checking for the presence of uploaded PHP files in the 'upcp-product-file-uploads' directory of the WordPress Ultimate Product Catalog plugin. Since the exploit involves uploading malicious PHP shells via the custom file fields, scanning this directory for unexpected or suspicious PHP files is a key detection method.

Additionally, monitoring authenticated user activities with contributor, editor, author, or administrator roles for unusual file uploads through the Products tab custom fields can help identify exploitation attempts.

Suggested commands to detect potential exploitation include:

  • Using find command on the server to locate PHP files in the upload directory: find /path/to/wordpress/wp-content/uploads/upcp-product-file-uploads -name "*.php"
  • Checking web server access logs for requests to files in the 'upcp-product-file-uploads' directory that may indicate access to uploaded shells: grep "upcp-product-file-uploads" /var/log/apache2/access.log
  • Reviewing WordPress user activity logs (if available) for file upload actions by users with contributor, editor, author, or administrator roles.
Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability for users with contributor, editor, author, or administrator roles to upload files via the custom fields functionality in the WordPress Ultimate Product Catalog plugin.

Removing or restricting access to the 'upcp-product-file-uploads' directory to prevent execution of uploaded PHP files can reduce the risk of remote code execution.

Applying any available patches or updates from the plugin vendor that address this vulnerability is recommended once they become available.

As a temporary measure, consider implementing web server rules (e.g., .htaccess) to block execution of PHP files in the upload directory.

Review and audit user roles and permissions to ensure that only trusted users have the ability to upload files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2016-20075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart