CVE-2026-4808

High

Published: 08 April 2026

Published

08 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 56.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4808 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked in the top 43.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Shell (T1505.003). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of file uploads, addressing the missing file type validation in the moveUploadedFile() function that enables arbitrary file uploads.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and remediation of the specific flaw in the WordPress plugin up to version 1.3.6, eliminating the vulnerability.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection mechanisms to scan and eradicate web shells or other dangerous files uploaded via the vulnerable plugin function.

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The arbitrary file upload vulnerability due to missing validation directly enables attackers to upload web shells for remote code execution on the WordPress server.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers,…

with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Deeper analysisAI

CVE-2026-4808 is an arbitrary file upload vulnerability in the Gerador de Certificados – DevApps plugin for WordPress, affecting all versions up to and including 1.3.6. The issue stems from missing file type validation in the moveUploadedFile() function, which allows attackers to upload arbitrary files to the affected site's server. Published on 2026-04-08, the vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with Administrator-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By uploading malicious files, such as web shells, they can achieve remote code execution on the server, potentially leading to full compromise of the WordPress site, including data theft, modification, or further lateral movement.

Advisories reference the vulnerable code in the plugin's admin class at line 346 of class-devapps-certificate-generator-admin.php, as shown in the WordPress plugin Trac repository. Wordfence's threat intelligence page provides additional details on the vulnerability under ID 870bf5fe-00c6-48fe-b9e6-e8233c689b71.