{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32524", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:19.946Z", "datePublished": "2026-03-25T16:15:08.023Z", "dateUpdated": "2026-03-26T18:35:56.992Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wplr-sync", "product": "Photo Engine", "vendor": "Jordy Meow", "versions": [{"changes": [{"at": "6.5.0", "status": "unaffected"}], "lessThanOrEqual": "<= 6.4.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:41.335Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.<p>This issue affects Photo Engine: from n/a through <= 6.4.9.</p>"}], "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "Upload a Web Shell to a Web Server"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:08.023Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wplr-sync/vulnerability/wordpress-photo-engine-plugin-6-4-9-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress Photo Engine plugin <= 6.4.9 - Arbitrary File Upload vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:35:29.056815Z", "id": "CVE-2026-32524", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:35:56.992Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through <= 6.4.9."}], "id": "CVE-2026-32524", "lastModified": "2026-03-25T17:17:05.393", "metrics": {}, "published": "2026-03-25T17:17:05.393", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wplr-sync/vulnerability/wordpress-photo-engine-plugin-6-4-9-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.4.9]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.5.0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Photo Engine", "source": "cna", "vendor": "Jordy Meow"}, "product": "photo_engine", "vendor": "jordy_meow"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:18:59.375632+00:00", "value": {"mitigation_remediation": ["Update Photo Engine to a version newer than 6.4.9 as soon as possible", "If the plugin cannot be updated immediately, disable or delete it to stop further uploads", "If the plugin must remain enabled, enforce strict file\u2011type restrictions and validate MIME types before allowing uploads", "Monitor the site\u2019s upload directories for unexpected or suspicious files"], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "Jordy Meow\u2019s Photo Engine plugin is affected in all releases from the earliest available version through 6.4.9. No later versions are listed as vulnerable. The issue applies to the plugin as used within WordPress installations.", "description_and_impact": "The Jordy Meow Photo Engine plugin allows the upload of files without validating their type, which permits attackers to upload malicious files such as web shells. This leads to remote execution of code with the privileges of the web server, giving an attacker full control over the target system. The vulnerability is a classic example of CWE\u2011434, an unrestricted upload of a file with a dangerous type.", "risk_and_exploitability": "The lack of a CVSS score or EPSS value means the quantitative severity is not publicly available, but the potential for full system compromise makes it a high\u2011risk issue. Attackers can exploit it through the plugin\u2019s upload interface, likely requiring an authenticated session with upload permissions. Because it is not listed in the CISA KEV catalog, there are no known widespread exploits, yet the possibility of arbitrary file upload remains a critical threat."}}}}, "created": "2026-03-25T21:47:15.899664+00:00", "updated": "2026-03-26T11:35:08.442940+00:00", "vendors": ["jordy_meow", "jordy_meow$PRODUCT$photo_engine", "wordpress", "wordpress$PRODUCT$wordpress"]}