CVE-2026-27540 - Vulnerability Analysis
CriticalCVSS: 9.0Last Updated: March 19, 2026
Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture - Unrestricted File Upload
Published: March 19, 2026Updated: March 19, 2026KEVPoC AvailableRemote Exploitable
Overview
Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture <= 2.0.3.1 contains an unrestricted file upload vulnerability caused by insufficient validation of uploaded file types, letting attackers upload malicious files remotely, exploit requires no special privileges.
Severity & Score
Severity: Critical
CVSS Score: 9.0
Impact
Attackers can upload malicious files, potentially leading to remote code execution or server compromise.
Mitigation
Update to the latest version beyond 2.0.3.1.
References
- https://x.com/Nxploited/status/2026761480004137364
- https://patchstack.com/database/wordpress/plugin/woocommerce-wholesale-lead-capture/vulnerability/wordpress-woocommerce-wholesale-lead-capture-plugin-1-17-8-arbitrary-file-upload-vulnerability
- https://patchstack.com/database/wordpress/plugin/woocommerce-wholesale-lead-capture/vulnerability/wordpress-woocommerce-wholesale-lead-capture-plugin-1-17-8-arbitrary-file-upload-vulnerability?_s_id=cve
Related Resources
Details
- CVE ID
- CVE-2026-27540
- Severity
- Critical
- CVSS Score
- 9.0
- Type
- unrestricted_file_upload
- Status
- new
CWE
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H