Iptanus File Upload WordPress Plugin Security Vulnerabilities | WPScan

29

December 20, 2025

10000

Published

2026-05-24

Title

Iptanus File Upload < 5.1.7 - File Overwrite via Race Condition

Fixed in

Fixed in 5.1.7

CVSS

5.4 (medium)

Published

2025-02-24

Title

WordPress File Upload < 4.25.3 - Cross-Site Request Forgery in wfu_file_details

Fixed in

Fixed in 4.25.3

CVSS

4.3 (medium)

Published

2025-01-07

Title

WordPress File Upload < 4.24.14 - Unuathenticated Remote Code Execution

Fixed in

Fixed in 4.24.14

CVSS

9.8 (critical)

Published

2025-01-07

Title

WordPress File Upload < 4.25.0 - Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion

Fixed in

Fixed in 4.25.0

CVSS

9.8 (critical)

Published

2025-01-07

Title

WordPress File Upload < 4.24.14 - Unauthenticated Path Traversal to Arbitrary File Read in wfu_file_downloader.php

Fixed in

Fixed in 4.24.14

CVSS

7.5 (high)

Published

2025-01-06

Title

WordPress File Upload < 4.25.0 - Missing Authorization to Authenticated (Subscriber+) Limited Path Traversal

Fixed in

Fixed in 4.25.0

CVSS

4.3 (medium)

Published

2024-10-11

Title

WordPress File Upload < 4.24.12 - Unauthenticated Path Traversal to Arbitrary File Read and Deletion in wfu_file_downloader.php

Fixed in

Fixed in 4.24.12

CVSS

9.8 (critical)

Published

2024-08-15

Title

WordPress File Upload < 4.24.9 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

Fixed in

Fixed in 4.24.9

CVSS

7.2 (high)

Published

2024-08-01

Title

WordPress File Upload < 4.24.8 - Missing Authorization

Fixed in

Fixed in 4.24.8

CVSS

5.4 (medium)

Published

2024-07-16

Title

WordPress File Upload < 4.24.8 - Unauthenticated Stored XSS

Fixed in

Fixed in 4.24.8

CVSS

8.8 (high)

Published

2024-07-16

Title

WordPress File Upload < 4.24.8 - Reflected XSS

Fixed in

Fixed in 4.24.8

CVSS

7.1 (high)

Published

2024-07-15

Title

WordPress File Upload < 4.24.8 - Authenticated (Contributor+) Directory Traversal

Fixed in

Fixed in 4.24.8

CVSS

4.3 (medium)

Published

2024-03-29

Title

WordPress File Upload < 4.24.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Fixed in

Fixed in 4.24.6

CVSS

6.4 (medium)

Published

2023-11-14

Title

Wordpress File Upload < 4.24.1 - Cross-Site Request Forgery

Fixed in

Fixed in 4.24.1

CVSS

4.3 (medium)

Published

2023-09-25

Title

WordPress File Upload < 4.23.3 - Author+ Stored Cross-Site Scripting

Fixed in

Fixed in 4.23.3

CVSS

3.5 (low)

Published

2023-05-23

Title

WordPress File Upload and WordPress File Upload Pro < 4.19.2 - Admin+ Stored Cross-Site Scripting

Fixed in

Fixed in 4.19.2

CVSS

4.4 (medium)

Published

2023-05-23

Title

WordPress File Upload < 4.19.2 - Admin+ Path Traversal

Fixed in

Fixed in 4.19.2

CVSS

4.9 (medium)

Published

2022-03-01

Title

WordPress File Upload < 4.16.3 - Contributor+ Path Traversal to RCE

Fixed in

Fixed in 4.16.3

CVSS

9.9 (critical)

Published

2022-02-14

Title

WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Malicious SVG

Fixed in

Fixed in 4.16.3

CVSS

6.8 (medium)

Published

2022-02-14

Title

WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Shortcode

Fixed in

Fixed in 4.16.3

CVSS

6.8 (medium)

Published

2020-03-13

Title

WordPress File Upload < 4.13.0 - Directory Traversal to RCE

Fixed in

Fixed in 4.13.0

CVSS

9.8 (critical)

Published

2018-04-06

Title

WordPress File Upload <= 4.3.3 - Cross-Site Scripting (XSS)

Fixed in

Fixed in 4.3.4

CVSS

6.1 (medium)

Published

2018-04-01

Title

WordPress File Upload <= 4.3.2 - Security Issue in Shortcodes

Fixed in

Fixed in 4.3.3

CVSS

5.4 (medium)

Published

2016-06-23

Title

WordPress File Upload < 3.9.0 - Insufficient File Extension Blacklisting

Fixed in

Fixed in 3.9.0

CVSS

n/a

Published

2015-10-29

Title

WordPress File Upload <= 3.4.0 - Unauthenticated Malicious File Upload

Fixed in

Fixed in 3.4.1

CVSS

7.5 (high)

Published

2015-07-02

Title

WordPress File Upload < 3.0.0 - Multiple Vulnerabilities

Fixed in

Fixed in 3.0.0

CVSS

7.5 (high)

Published

2015-05-09

Title

WordPress File Upload < 2.7.1 - JS File Upload

Fixed in

Fixed in 2.7.1

CVSS

7.5 (high)

Published

2015-01-23

Title

WordPress File Upload < 2.5.0 - PHP File Upload

Fixed in

Fixed in 2.5.0

CVSS

7.5 (high)

Published

2014-09-19

Title

WordPress File Upload < 2.4.2 - Cross-Site Request Forgery (CSRF)

Fixed in

Fixed in 2.4.2

CVSS

n/a