CVE-2026-14489
The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect() function
CVSS
8.8
High
EPSS
0.6%
p43
KEV
—
Exploit Today
13
0-100
Published: Jul 8, 2026 · Last modified: Jul 8, 2026 · CWE-434
0.6%EPSS · 30 days0.6%
2026-07-082026-07-17
The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect() function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Custom-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/whmcs-bridge/tags/6.9/bridge.init.php#L482
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/whmcs-bridge/tags/6.9/bridge.init.php#L809
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/whmcs-bridge/tags/6.9/bridge.init.php#L852
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/whmcs-bridge/tags/6.9/includes/request.class.php#L296
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/whmcs-bridge/tags/6.9/includes/request.class.php#L309
- www.wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/c4fe6dcc-93c8-4956-85ae-a1125bc84509?source=cve
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-562909.8 CRI85.4%
KEV—76Joomlack Page Builder Improper Access Control Vulnerability10dCVE-2026-489089.8 CRI72.6%
KEV—72JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability10dCVE-2026-489399.8 CRI71.5%
KEV—71iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability7dCVE-2026-562919.8 CRI53.7%
KEV—66Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability7dCVE-2023-388368.8 HIG99.3%
——30File Upload vulnerability in BoidCMS v.2.0.0 allows a remote attacker to execute arbitrary code by adding a GIF header to bypass MIME type checks.9dCVE-2023-464747.2 HIG97.3%
——29File Upload vulnerability PMB v.7.4.8 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted PHP file uploaded to the start_import.php file.9d