CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-57700

CVSS 10.0v3.1pub. 2026-06-25upd. 2026-06-29

Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through 5.2.6.

🤖 AI Analysis
How it works

The vulnerability consists of a lack of proper restrictions on file types accepted by the upload mechanism in the OMGF Pro plugin. An attacker can upload a file of dangerous type (e.g., PHP script) to the target server without needing an account or user interaction. Once the malicious file is placed on the server, it is possible to execute it remotely, which leads to the compromise of the entire WordPress environment.

Impact

An attacker can gain full control over the server — read and modify data (C:H/I:H), as well as cause service unavailability (A:H). Remote code execution (RCE) on the server side is possible as well as attack escalation to other systems in the network (S:C — scope change).

Mitigation & patch

The OMGF Pro plugin must be updated immediately to a version higher than 5.2.6. Detailed information about the available patch is available in the vendor's references and in the Patchstack database (https://patchstack.com/database/wordpress/plugin/host-google-fonts-pro/vulnerability/wordpress-omgf-pro-plugin-5-2-6-arbitrary-file-upload-vulnerability). Until the update is applied, it is recommended to disable or remove the plugin.

Who is affected

OMGF Pro plugin (WordPress) by Daan.Dev — versions from inception to 5.2.6 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References