Loading market data...
← Back to CVE feed

CVE-2016-20075

HIGH CVSS 8.8 View on NVD ↗

Description

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the Products tab custom file field and access them via the upcp-product-file-uploads directory to execute arbitrary code on the server.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: Jun 15, 2026 14:16 UTC Modified: Jun 15, 2026 20:50 UTC