Back to overview

CVE-2026-14489

HIGH
8.8
CVSS 3.1
Description
The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect() function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Custom-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Metadata

CVE ID
CVE-2026-14489
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-02 17:07 UTC
Published
2026-07-08 05:34 UTC
Last updated
2026-07-08 05:34 UTC
Primary CWE
CWE-434
CWE-434 Unrestricted Upload of File with Dangerous Type
Vendor / Product
globalprogramming / WHMCS Bridge
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
globalprogramming WHMCS Bridge 0 ≤ 6.9
Weakness (CWE)
CWESourceDescription
CWE-434 cna CWE-434 Unrestricted Upload of File with Dangerous Type
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Back to overview