Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-5294

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution.

Ver en NVD

Análisis

The Geeky Bot plugin for WordPress contains a critical flaw allowing unauthenticated attackers to upload malicious ZIP files and execute arbitrary code. Although the impact is severe, the affected product is a niche plugin rather than a core infrastructure component or a widely used development library.

Severidad

Puntaje: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-862

EPSS

Probabilidad de explotación (próx. 30 días): 0.0019 (0.2%)
Percentil: 40.7%
EPSS: 2026-05-06

Descripción técnica

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution.

Publicada: 5/5/2026, 4:16:19
Última modificación: 5/5/2026, 19:08:20

Referencias

InicioEventosBlogRecursosEquipo