Cyber Resilience

CVE-2026-4808

High

Published: 08 April 2026

Published
08 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4808 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4808 is an arbitrary file upload vulnerability in the Gerador de Certificados – DevApps plugin for WordPress, affecting all versions up to and including 1.3.6. The issue stems from missing file type validation in the moveUploadedFile() function, which allows attackers to upload arbitrary files to the affected site's server. Published on 2026-04-08, the vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with Administrator-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By uploading malicious files, such as web shells, they can achieve remote code execution on the server, potentially leading to full compromise of the WordPress site, including data theft, modification, or further lateral movement.

Advisories reference the vulnerable code in the plugin's admin class at line 346 of class-devapps-certificate-generator-admin.php, as shown in the WordPress plugin Trac repository. Wordfence's threat intelligence page provides additional details on the vulnerability under ID 870bf5fe-00c6-48fe-b9e6-e8233c689b71.

EU & UK References

Vulnerability details

The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers,…

more

with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The arbitrary file upload vulnerability due to missing validation directly enables attackers to upload web shells for remote code execution on the WordPress server.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22241Shared CWE-434
CVE-2025-23942Shared CWE-434
CVE-2024-56264Shared CWE-434
CVE-2021-35485Shared CWE-434
CVE-2024-56249Shared CWE-434
CVE-2024-55417Shared CWE-434
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file uploads, addressing the missing file type validation in the moveUploadedFile() function that enables arbitrary file uploads.

prevent

Mandates timely identification, reporting, and remediation of the specific flaw in the WordPress plugin up to version 1.3.6, eliminating the vulnerability.

preventdetect

Deploys malicious code protection mechanisms to scan and eradicate web shells or other dangerous files uploaded via the vulnerable plugin function.

References