CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-40772

CVSS 10.0v3.1pub. 2026-06-15

Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) consists of a lack of proper verification of the types and content of uploaded files. An attacker without any account or permissions can send a specially crafted request to the vulnerable endpoint of the plugin and upload an executable file, such as a PHP webshell, to the server. The uploaded file can then be executed by the attacker directly through a browser or HTTP request.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the server (RCE), which can lead to complete takeover of the WordPress service, data theft, installation of a backdoor, or use of the server as a launch point for further attacks on the network.

Mitigation & patch

The GeekyBot plugin should be updated immediately to a version higher than 1.2.2. If an update is not available, the plugin should be deactivated and removed immediately. Detailed information about available patches should be checked in the vendor references and in the Patchstack database.

Who is affected

GeekyBot plugin for WordPress in versions 1.2.2 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References