CVE-2026-2942
RCETitle: Arbitrary File Upload in ProSolution WP Client plugin
RCE
Proof Of Concept
PoC Available for CVE-2026-2942
CWE Category
CWE-434
Published Date
Apr 08, 2026
Modified Date
Apr 24, 2026
Exploit Status
Available
Score
9.8
CVSS v3.1
Exploit Probability (EPSS)
0.58%
Vulnerability Summary
CVE-2026-2942: The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'proSol_fileUploadProcess' function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Impacted Vendors
Analysis in Progress...
Reference Links
https://plugins.trac.wordpress.org/browser/prosolution-wp-client/trunk/public/class-prosolwpclient-public.php?rev=3331282#L993
https://plugins.trac.wordpress.org/changeset/3484577/prosolution-wp-client
https://www.wordfence.com/threat-intel/vulnerabilities/id/3852aef6-42e7-4b71-a1ba-dd41284fd07b?source=cve
CVSS v3.1
Source Entity
[email protected]
Severity
CRITICAL
9.8
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Associated Attack Patterns (CAPEC)
Total: PatternsNo specific attack patterns mapped.
Likelihood
Severity
Page /
CVE-2026-2942 Exploits & PoCs (Proof Of Concept)
GitHub
https://github.com/xxconi/CVE-2026-2942
MODIFIED
Vulnerability data updated via NVD.
MODIFIED
Vulnerability data updated via NVD.
MODIFIED
Vulnerability data updated via NVD.
MODIFIED
Vulnerability data updated via NVD.
Attack Vector Matrix
Access Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Stack
No specific products linked.