Photo Engine (Media Organizer & Lightroom) < 6.5.0 – Authenticated (Author+) Arbitrary File Upload | CVE 2026-32524 | Plugin Vulnerabilities

Description

The Photo Engine (Media Organizer & Lightroom) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.4.9. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Fixed in 6.5.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9ec17c72-6426-4e7e-840d-f8c050a25460

Miscellaneous

Original Researcher

Nguyen Ba Khanh

Verified

No

WPVDB ID

7d55eb0c-44f4-433a-91c0-aab90e459e00

Timeline

Publicly Published

2026-03-20 (about 3 months ago)

Added

2026-03-27 (about 3 months ago)

Last Updated

2026-03-27 (about 3 months ago)

Other

Published

Title

Published

2025-08-12

Title

School Management <= 1.93.1 (02-07-2025) - Authenticated (Student+) Arbitrary File Upload

Published

2024-11-11

Title

Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation <= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-06-28

Title

Newspack Blocks < 3.0.9 - Authenticated (Contributor+) Arbitrary File Upload

Published

2021-09-01

Title

Secure File Manager <= 2.9.3 - Admin+ RCE

Published

2014-08-01

Title

Vk Gallery 1.1.0 - Shell Upload