File Upload Vulnerability in FileOrganizer WordPress Plugin
CVE-2026-11962
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 6 July 2026
Badges
What is CVE-2026-11962?
The FileOrganizer plugin for WordPress, prior to version 1.2.0, is susceptible to a file upload vulnerability. This flaw allows authenticated users with file-manager access—potentially extended to sub-admins via a premium add-on—to bypass file type validation during various file management operations. Consequently, this vulnerability enables the upload of arbitrary PHP files, facilitating remote code execution on affected WordPress sites. This issue represents an incomplete remediation of a previous vulnerability, emphasizing the necessity for comprehensive file validation mechanisms to safeguard user environments.
Affected Version(s)
FileOrganizer 0 < 1.2.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.