CVE-2026-1730

High

Published: 03 February 2026

Published

03 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0033 55.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level…

access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of file upload inputs to enforce proper file type checks, addressing the core flaw in incorrect file type validation.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws like this arbitrary file upload vulnerability through plugin patching.

CM-11 User-installed Software partial match

prevent

Restricts and scans user-installed software such as vulnerable WordPress plugins prior to deployment, preventing exploitation via unapproved components.

Security SummaryAI

CVE-2026-1730 is an arbitrary file upload vulnerability in the OS DataHub Maps plugin for WordPress, affecting all versions up to and including 1.8.3. The flaw arises from incorrect file type validation in the `OS_DataHub_Maps_Admin::add_file_and_ext` function, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Authenticated attackers with Author-level access or higher can exploit the vulnerability over the network with low complexity and no user interaction required. By uploading arbitrary files to the affected WordPress site's server, they may achieve remote code execution, compromising the server hosting the plugin.

Advisories point to mitigation through updating the plugin, with a fix reflected in WordPress plugin repository changeset 3452323. Relevant code locations are detailed in the plugin's trac revisions, such as lines 51 and 67 in `osmap-admin.php` and line 87 in `os-datahub-maps.php`. Further analysis is available in the Wordfence threat intelligence report.

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Arbitrary file upload vulnerability in WordPress plugin enables remote code execution on a public-facing web application, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L51
security@wordfence.com
https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L67
security@wordfence.com
https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/os-datahub-maps.php?rev=3449192#L87
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3452323/os-datahub-maps
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/c32ba2a0-a9a7-4f17-8169-912cecc40b7b?source=cve
security@wordfence.com