Arbitrary File Upload Vulnerability in Swiss Toolkit For WP Plugin
CVE-2026-2354
8.8HIGH
What is CVE-2026-2354?
The Swiss Toolkit For WP plugin for WordPress is susceptible to an arbitrary file upload vulnerability stemming from inadequate validation of file types in the upload_extension_files function. The function in question utilizes a string search method instead of a thorough verification of file extensions, allowing authenticated users with Author-level permissions and above to upload potentially malicious files, including PHP scripts, to the server. This vulnerability becomes a significant risk if the Enhanced Multi-Format Image Support feature is enabled with at least one extension such as AVIF included in the allowed formats.
Affected Version(s)
Swiss Toolkit For WP 0 <= 1.4.6