Arbitrary File Upload Vulnerability in Gerador de Certificados Plugin for WordPress
CVE-2026-4808

7.2HIGH

Key Information:

Vendor: WordPress
Status: Gerador De Certificados – Devapps
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-4808?

The Gerador de Certificados – DevApps plugin for WordPress is susceptible to an arbitrary file upload vulnerability due to inadequate validation of file types in the moveUploadedFile() function. This flaw exists in all versions up to and including 1.3.6. Authenticated users with Administrator-level access or higher may exploit this vulnerability to upload malicious files on the server, which could facilitate remote code execution, posing significant security risks to the affected site.

Affected Version(s)

Gerador de Certificados – DevApps 0 <= 1.3.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/gerador-de-cer...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 25, 2026

Credit

Abhirup Konwar

CVE-2026-4808 Data

JSON