Published On: Mar 27, 2026 10:40
Advisory No: TZCERT-SA-26-0137
Source: CVE Database / PatchStack
Software Affected: halfdata Green Downloads (halfdata-paypal-green-downloads) WordPress plugin, versions up to and including 2.08
A critical Unrestricted Upload of File with Dangerous Type vulnerability (CVE-2026-32536) has been identified in the halfdata Green Downloads WordPress plugin, affecting all versions up to and including 2.08. Published on March 25, 2026, this flaw carries a CVSS score of 9.9 and allows an unauthenticated attacker to upload malicious files to the server, likely enabling remote code execution or persistent web shell access.
CVE-2026-32536 is a critical Unrestricted Upload of File with Dangerous Type vulnerability (CVSS score 9.9) affecting halfdata Green Downloads plugin versions through 2.08. The plugin fails to adequately validate the type or content of files uploaded by users, allowing an attacker to bypass typical file extension or MIME type checks. This enables the placement of server-side executable script files (e.g., PHP, ASP, JSP) directly onto the web server. Once a malicious file, such as a web shell, is successfully uploaded, it can be accessed via a web browser to execute arbitrary commands on the underlying system. The CVSS vector indicates network-accessible exploitation (AV:N), low attack complexity (AC:L), no authentication required (PR:N), and no user interaction needed (UI:N), making this an extremely dangerous vulnerability for any internet-facing WordPress installation running the affected plugin.
Successful exploitation allows a remote unauthenticated attacker to upload and execute arbitrary code on the web server, effectively achieving remote code execution. This can lead to complete server compromise, data exfiltration, installation of persistent backdoors, and use of the server for further malicious activity.
No patch information was available at time of writing. Users are advised to immediately disable or remove the halfdata Green Downloads plugin. Restrict file upload directories to prevent execution of uploaded scripts, and implement WAF rules to block malicious file upload attempts. Monitor official plugin channels for security updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
