How is CVE-2026-9227 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP or HTTPS. Authentication (required): A valid WordPress account with Author-level privileges or higher is needed; any low-privilege authenticated user is sufficient to trigger the upload. Victim interaction (not-required): No action from another user or administrator is required; the attacker submits the malicious upload directly. Attack complexity (info): Exploitation is straightforward and condition-free: the bypass relies on a simple double-extension filename (e.g. shell.json.php) that consistently passes the flawed strpos() check with no race conditions or special environmental factors required.

What is the impact of CVE-2026-9227?

The attacker can execute arbitrary code on the server hosting the WordPress installation, gaining full control of the web application process. Confidential data accessible to that process, including WordPress database credentials, stored user records, and session tokens, can be read directly. The attacker can modify or delete files within the web root and any writable paths, including theme files, plugin code, and uploaded media. The web server process can be crashed or monopolized, taking the WordPress site offline for legitimate users.

Back to search

HIGHCVE-2026-9227Published 2026-05-28Modified 2026-05-28CNA Wordfence

CVE-2026-9227: GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_and_ext Filter

Q: What is CVE-2026-9227?

Arbitrary file upload vulnerability in the GutenBee Gutenberg Blocks plugin for WordPress (versions up to and including 2.20.1) allows an authenticated attacker to upload executable files to the server. The flaw is reachable over the network and requires only a low-privilege (Author-level) WordPress account. Successful exploitation enables remote code execution on the host running the WordPress installation. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-9227 patched?

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the plugin maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbee_file_and_ext_json function. This is due to a flawed strpos() substring check that only verifies whether the filename contains the string '.json' rather than confirming the filename ends with a .json extension, allowing double-extension filenames like shell.json.php to bypass validation. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Arbitrary file upload vulnerability in the GutenBee Gutenberg Blocks plugin for WordPress (versions up to and including 2.20.1) allows an authenticated attacker to upload executable files to the server. The flaw is reachable over the network and requires only a low-privilege (Author-level) WordPress account. Successful exploitation enables remote code execution on the host running the WordPress installation. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence and NVD) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the GutenBee plugin. Images at any affected version up to and including 2.20.1 are flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 HIGH and weights it against each customer organization's compliance policy to determine urgency tier and routing. Findings are delivered to the appropriate team inbox within the customer org based on configured ownership rules, so the right people see it without manual triage.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the plugin maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP or HTTPS.
AuthenticationRequired
A valid WordPress account with Author-level privileges or higher is needed; any low-privilege authenticated user is sufficient to trigger the upload.
Victim interactionNot required
No action from another user or administrator is required; the attacker submits the malicious upload directly.
Attack complexityDetail
Exploitation is straightforward and condition-free: the bypass relies on a simple double-extension filename (e.g. shell.json.php) that consistently passes the flawed strpos() check with no race conditions or special environmental factors required.

Blast Radius

The attacker can execute arbitrary code on the server hosting the WordPress installation, gaining full control of the web application process.
Confidential data accessible to that process, including WordPress database credentials, stored user records, and session tokens, can be read directly.
The attacker can modify or delete files within the web root and any writable paths, including theme files, plugin code, and uploaded media.
The web server process can be crashed or monopolized, taking the WordPress site offline for legitimate users.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against every customer image that bundles GutenBee at a version up to and including 2.20.1, covering both images pulled from public registries and custom-built WordPress images. Because no upstream patch exists yet, HarborGuard monitors the Wordfence and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available automatically once the plugin maintainer publishes a fix. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will be triggered immediately upon fix confirmation. In the interim, compensating controls worth considering include network-policy rules that restrict WordPress file-upload endpoints to known trusted IP ranges, web application firewall rules that block double-extension filenames in multipart upload requests, and disabling the gutenbee_file_and_ext_json upload path via a feature flag or mu-plugin override if the JSON upload capability is not actively used in your environment.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

cssigniterteam / GutenBee – Gutenberg Blocks
≤ 2.20.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References