– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1756 (metadata-based):
The WP FOFT Loader plugin for WordPress versions up to and including 2.1.39 contains an authenticated arbitrary file upload vulnerability. The flaw resides in the `WP_FOFT_Loader_Mimes::file_and_ext` function. Attackers with Author-level privileges or higher can exploit this to upload malicious files, leading to potential remote code execution. The CVSS score of 8.8 (High) reflects the high impact on confidentiality, integrity, and availability with low attack complexity.

Atomic Edge research indicates the root cause is CWE-434, Unrestricted Upload of File with Dangerous Type. The vulnerability description explicitly states “incorrect file type validation” in a specific class method. This suggests the plugin’s file upload handler either fails to verify the file’s MIME type or extension properly, or it uses an insufficient allowlist. Without a code diff, this conclusion is inferred from the CWE classification and the public description. The function name `file_and_ext` implies it handles file and extension validation.

Exploitation requires an authenticated session with at least Author-level capabilities (the `edit_posts` permission). Attackers likely target a WordPress AJAX endpoint (`/wp-admin/admin-ajax.php`) or a custom admin page handler that uses the vulnerable `WP_FOFT_Loader_Mimes::file_and_ext` function. A typical payload would be a multipart form submission containing a PHP web shell file disguised with a double extension (e.g., `shell.php.jpg`) or with a manipulated `Content-Type` header. The attacker must identify the correct `action` parameter for the vulnerable upload handler, which may be derived from the plugin slug, such as `wp_ajax_wp_foft_loader_upload`.

Effective remediation requires implementing strict server-side validation of uploaded files. The patched version (2.1.40) likely corrected the `file_and_ext` method to validate both the file’s actual content (using `finfo_file()` or `mime_content_type()`) and its extension against a strict, minimal allowlist. The fix should also enforce file type verification independently of client-supplied metadata. Proper capability checks and nonce verification should already be present but must be confirmed.

Successful exploitation grants an attacker the ability to upload arbitrary files, including PHP scripts, to the WordPress server. This directly leads to remote code execution within the web server’s context. An attacker can achieve complete compromise of the affected site, enabling data theft, site defacement, backdoor installation, and lateral movement within the hosting environment. The requirement for Author-level access limits immediate attack surface but aligns with common content contributor roles, making this a significant threat in multi-user WordPress installations.