CVE-2026-14489
Last modified
CVE-2026-14489 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect() function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Custom-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.. EPSS estimates a 0.56% chance of exploitation in the next 30 days.
Description
The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect() function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Custom-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| globalprogramming | WHMCS Bridge | <= 6.9 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14489?
How severe is CVE-2026-14489?
How do I fix CVE-2026-14489?
Related CVEs from 2026
- CVE-2026-14474A flaw was found in SSSD's LDAP sudo provider. When the ldap…8.8
- CVE-2026-14475The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plug…4.9
- CVE-2026-14476A path traversal flaw was found in SSSD's AD GPO provider. T…8
- CVE-2026-1448A vulnerability was detected in D-Link DIR-615 up to 4.10. T…7.3
- CVE-2026-14482The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege…8.8
- CVE-2026-14487The Simple Coherent Form plugin for WordPress is vulnerable …9.1
- CVE-2026-1449A flaw has been found in Hisense TransTech Smart Bus Managem…7.3
- CVE-2026-14495The DoLogin Security plugin for WordPress is vulnerable to A…8.8
- CVE-2026-1450The rognone plugin for WordPress is vulnerable to Reflected …6.1
- CVE-2026-14500The Bulk Order Update for WooCommerce plugin for WordPress i…5.3
- CVE-2026-1451The rognone plugin for WordPress is vulnerable to Reflected …6.1
- CVE-2026-1452Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMB…
Are you affected by CVE-2026-14489?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
