CyberRota
← Ana sayfaya dön

CVE-2026-13369

HIGH · CVSS 7.5 EPSS %0.52

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-02T10:16:28.130 · Çekilme zamanı: 2026-07-02T18:28:03.411822+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

CVE
CVE-2026-13369
Severity
HIGH
CVSS
7.5
EPSS
%0.52
WordPress

Orijinal NVD Açıklaması

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, 3.3.29. This is due to the get_files_for_attachment() function accepting a raw attacker-controlled 'files' array when the process() method returns early due to a client-supplied saveProgress flag, bypassing all upload validation, path normalization, and database record creation steps, and allowing an attacker-supplied file_path value to reach wp_mail() as an email attachment with only a file_exists() check. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server.