File Upload Vulnerability in FileOrganizer WordPress Plugin
CVE-2026-11962

Currently unrated

Key Information:

Vendor

WordPress

Vendor
CVE Published:
6 July 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-11962?

The FileOrganizer plugin for WordPress, prior to version 1.2.0, is susceptible to a file upload vulnerability. This flaw allows authenticated users with file-manager access—potentially extended to sub-admins via a premium add-on—to bypass file type validation during various file management operations. Consequently, this vulnerability enables the upload of arbitrary PHP files, facilitating remote code execution on affected WordPress sites. This issue represents an incomplete remediation of a previous vulnerability, emphasizing the necessity for comprehensive file validation mechanisms to safeguard user environments.

Affected Version(s)

FileOrganizer 0 < 1.2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Revanth Hari Narayana Matte
WPScan
.