CVE-2026-1555 — AI Deep Analysis Summary

🚨 **Essence**: A critical flaw in the `io_img_upload` function allows **unauthenticated arbitrary file uploads**.…

🛡️ **Root Cause**: **CWE-434** (Unrestricted Upload of File with Dangerous Type). The core flaw is the **lack of file type validation** in the upload handler, allowing malicious scripts to bypass security checks.

📦 **Affected**: **WordPress Plugin: WebStack**. Specifically versions **1.2024 and earlier**. Vendor: **Owen**. 📅 Published: April 15, 2026.

🕵️ **Attacker Capabilities**: With **No Authentication (PR:N)** required, hackers can upload webshells or backdoors.…

⚡ **Exploitation Threshold**: **Extremely Low**. The vector is Network-based (AV:N), Attack Complexity is Low (AC:L), and no User Interaction (UI:N) or Privileges (PR:N) are needed.…

📂 **Public Exploit**: While specific PoC code isn't listed in the data, the vulnerability is well-documented via **Wordfence Threat Intel** and the **GitHub source code** (`ajax.php#L5`).…

🔍 **Self-Check**: Scan for **WebStack plugin** versions ≤ 1.2024. Check if the `io_img_upload` endpoint exists in `inc/ajax.php`. Use DAST tools to test for **unrestricted file upload** vectors on image endpoints.

🔧 **Official Fix**: The data implies a fix is needed. Users must update to a version **newer than 1.2024**. Check the vendor's GitHub repository for the latest patch that implements proper file type validation.

🚧 **Workaround (No Patch)**: If updating isn't immediate, **disable the plugin** entirely.…

🔥 **Urgency**: **CRITICAL**. With a **High CVSS score** and **No Auth** requirement, this is an immediate threat. Prioritize patching or mitigation **today** to prevent RCE and server hijacking.