How is CVE-2026-57700 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (not-required): No account or session token of any kind is needed to trigger the upload; the endpoint accepts unauthenticated requests. Victim interaction (not-required): The attacker operates entirely without user interaction; no administrator or visitor needs to click anything or visit a page. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions.

What is the impact of CVE-2026-57700?

An attacker can upload an arbitrary executable file (such as a PHP web shell) and gain remote code execution on the host running WordPress. Full confidentiality impact means the attacker reads any data accessible to the web server process, including database credentials, configuration files, and stored user data. Full integrity impact means the attacker writes or overwrites any file accessible to the web server process, including core WordPress files and other plugins. Full availability impact with scope change means the attacker can crash or render the WordPress service and potentially other co-hosted services inoperable.

Back to search

CRITICALCVE-2026-57700Published 2026-06-25Modified 2026-06-25CNA Patchstack

CVE-2026-57700: WordPress OMGF Pro plugin <= 5.2.6 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-57700?

An unrestricted file upload vulnerability in the WordPress OMGF Pro plugin (versions up to and including 5.2.6) allows a remote, unauthenticated attacker to upload files of any type, including executable code, to the target server. The flaw is reachable over the network with no credentials and no victim interaction required, and carries a CVSS 10.0 critical score with scope change, meaning impact extends beyond the plugin itself. Successful exploitation gives an attacker full read access, write access, and the ability to crash or take over the underlying server, typically through a web shell uploaded via the vulnerable endpoint. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-57700 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Daan.Dev ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention at that point.

Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through 5.2.6.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unrestricted file upload vulnerability in the WordPress OMGF Pro plugin (versions up to and including 5.2.6) allows a remote, unauthenticated attacker to upload files of any type, including executable code, to the target server. The flaw is reachable over the network with no credentials and no victim interaction required, and carries a CVSS 10.0 critical score with scope change, meaning impact extends beyond the plugin itself. Successful exploitation gives an attacker full read access, write access, and the ability to crash or take over the underlying server, typically through a web shell uploaded via the vulnerable endpoint. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle OMGF Pro. Any image containing an affected version of the plugin is flagged immediately.

Available

Triage

HarborGuard scores this finding at CVSS 10.0 critical and weights it against each environment's compliance policy to determine routing priority. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Daan.Dev ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationNot required
No account or session token of any kind is needed to trigger the upload; the endpoint accepts unauthenticated requests.
Victim interactionNot required
The attacker operates entirely without user interaction; no administrator or visitor needs to click anything or visit a page.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions.

Blast Radius

An attacker can upload an arbitrary executable file (such as a PHP web shell) and gain remote code execution on the host running WordPress.
Full confidentiality impact means the attacker reads any data accessible to the web server process, including database credentials, configuration files, and stored user data.
Full integrity impact means the attacker writes or overwrites any file accessible to the web server process, including core WordPress files and other plugins.
Full availability impact with scope change means the attacker can crash or render the WordPress service and potentially other co-hosted services inoperable.

How HarborGuard Handles This

Available on HarborGuard: because no patched version of OMGF Pro exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically once Daan.Dev publishes a fix. For customers with auto-remediation enabled, the rebuild plus a regression test run and a PR against affected workloads will be opened without manual steps. In the interim, recommended compensating controls include removing or disabling the OMGF Pro plugin from all images until a fix is available, applying web application firewall rules to block unauthenticated POST requests to the plugin's upload endpoint, and enforcing network policy restrictions that limit inbound access to WordPress instances to known-good sources. Where compliance policy permits, HarborGuard can flag any image containing OMGF Pro versions at or below 5.2.6 as a blocking issue in CI pipelines to prevent new deployments of affected images.

See how HarborGuard automates this

Affected packages

Daan.dev / OMGF Pro
≤ 5.2.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified