{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27067", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:42.768Z", "datePublished": "2026-03-19T08:41:18.492Z", "dateUpdated": "2026-03-19T13:04:48.542Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:41:18.492Z"}, "title": "WordPress Mobile App Editor plugin <= 1.3.1 - Arbitrary File Upload vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}], "affected": [{"vendor": "Syarif", "product": "Mobile App Editor", "collectionURL": "https://wordpress.org/plugins", "packageName": "mobile-app-editor", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "1.3.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through 1.3.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor allows Upload a Web Shell to a Web Server.<p>This issue affects Mobile App Editor: from n/a through 1.3.1.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/mobile-app-editor/vulnerability/wordpress-mobile-app-editor-plugin-1-3-1-arbitrary-file-upload-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "NumeX | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:04:24.345000Z", "id": "CVE-2026-27067", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:04:48.542Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27067", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T13:04:24.345000Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:04:29.241Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Mobile App Editor plugin <= 1.3.1 - Arbitrary File Upload vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "NumeX | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Syarif", "product": "Mobile App Editor", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.3.1"}], "packageName": "mobile-app-editor", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/mobile-app-editor/vulnerability/wordpress-mobile-app-editor-plugin-1-3-1-arbitrary-file-upload-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through 1.3.1.", "supportingMedia": [{"type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor allows Upload a Web Shell to a Web Server.<p>This issue affects Mobile App Editor: from n/a through 1.3.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:41:18.492Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27067", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:04:48.542Z", "dateReserved": "2026-02-17T13:23:42.768Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:41:18.492Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through 1.3.1."}], "id": "CVE-2026-27067", "lastModified": "2026-03-19T13:25:00.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:17.980", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/mobile-app-editor/vulnerability/wordpress-mobile-app-editor-plugin-1-3-1-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Mobile App Editor", "source": "cna", "vendor": "Syarif"}, "product": "mobile_app_editor", "vendor": "syarif"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T09:50:19.324772+00:00", "value": {"mitigation_remediation": ["Verify with the vendor whether an updated, patched version of the Mobile App Editor plugin has been released and install it as soon as possible.", "If an update is not yet available, consider removing the plugin entirely or disabling its upload functionality to eliminate the vulnerability.", "Review the current upload directory for any unexpected or executable files, and remove or quarantine them if necessary.", "Continuously monitor server logs and the upload directory for any suspicious file uploads or attempts to execute uploaded files."], "summary": {"action": "Assess", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Syarif Mobile App Editor plugin for WordPress, versions from the earliest available through 1.3.1.", "description_and_impact": "Unrestricted file upload vulnerability in Syarif Mobile App Editor WordPress plugin (versions 1.3.1 and earlier) allows an attacker to upload any file type, including web shells, to the web server. The flaw is identified as CWE\u2011434 and can enable remote code execution if a malicious file is executed by the server. This attack can compromise the confidentiality, integrity, and availability of the website.", "risk_and_exploitability": "The CVSS base score is 9.1, indicating a high severity vulnerability that permits full remote code execution. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. It is inferred that the attacker would need to use the plugin\u2019s upload interface, which may require authenticated access or a user with upload privileges. Once a malicious file is uploaded and executed, the attacker can run arbitrary code on the web server."}}}}, "created": "2026-03-20T08:57:01.333448+00:00", "updated": "2026-03-20T14:15:14.683463+00:00", "vendors": ["syarif", "syarif$PRODUCT$mobile_app_editor", "wordpress", "wordpress$PRODUCT$wordpress"]}