PT-2026-44209 · WordPress · Gutenbee

Athiwat Tiprasaharn

·

Published

2026-05-28

·

Updated

2026-05-29

·

CVE-2026-9227

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions GutenBee – Gutenberg Blocks versions prior to 2.20.2
Description The plugin is subject to arbitrary file upload due to a flawed substring check in the gutenbee file and ext json() function. The strpos() function only verifies if the filename contains the string '.json' instead of ensuring the file ends with that extension. This allows authenticated attackers with author-level access or higher to bypass validation using double-extension filenames, such as 'shell.json.php', to upload executable files and achieve remote code execution.
Recommendations Update to a version newer than 2.20.1.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9227

Affected Products

Gutenbee