Does Iptanus File Upload have any unpatched vulnerabilities?

No. All known vulnerabilities in Iptanus File Upload have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Iptanus File Upload compatible with WordPress 6.9.4?

According to WordPress.org data, Iptanus File Upload 5.1.7 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Iptanus File Upload updated?

Iptanus File Upload was last updated on Dec 20, 2025. Frequent updates are generally a positive security signal.

What is Iptanus File Upload's security score?

Iptanus File Upload has a WP-Safety security score of 87/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Iptanus File Upload Security & Risk Analysis

wordpress.org/plugins/wp-file-upload

THIS IS FORMER WORDPRESS FILE UPLOAD PLUGIN. Simple yet powerful plugin to allow users to upload files from any page, post or sidebar and manage them.

10K active installs v5.1.7 PHP + WP 3.0+ Updated Dec 20, 2025

ajaxfileformpageupload

A · Safe

CVEs total27

Unpatched0

Last CVEFeb 24, 2025

Plugin page Download

Safety Verdict

Is Iptanus File Upload Safe to Use in 2026?

Generally Safe

Score 87/100

Iptanus File Upload has a strong security track record. Known vulnerabilities have been patched promptly.

27 known CVEsLast CVE: Feb 24, 2025Updated 3mo ago

Risk Assessment

The wp-file-upload plugin v5.1.7 exhibits a concerning security posture primarily due to a very large attack surface with a significant number of unprotected AJAX handlers. While the code analysis shows good practices in SQL query handling and output escaping, the sheer volume of entry points lacking proper authorization checks presents a substantial risk. The taint analysis revealed flows with unsanitized paths, indicating a potential for path traversal vulnerabilities, although no critical or high severity issues were identified in this specific analysis.

The plugin's historical vulnerability data is alarming. A total of 27 known CVEs, with a notable number of critical and high severity issues, points to a recurring pattern of serious security flaws. The common vulnerability types listed (CSRF, Code Injection, Missing Authorization, Path Traversal, XSS, Unrestricted Upload) are all severe and can lead to complete site compromise. The fact that the last vulnerability was reported very recently (2025-02-24) and there are currently no unpatched vulnerabilities is a positive sign, suggesting active patching by developers, but the sheer volume and severity of past issues cannot be overlooked.

In conclusion, the plugin demonstrates strengths in its handling of SQL queries and output sanitization. However, the massive, unprotected AJAX endpoint attack surface and the extensive, severe historical vulnerability record are critical weaknesses. Users should be highly cautious and ensure they are on the absolute latest version, coupled with a robust WordPress security strategy that includes regular scanning and monitoring for new vulnerabilities. The risk is elevated due to the plugin's historical patterns of severe security flaws.

Key Concerns

Large attack surface with unprotected AJAX handlers
Taint analysis found flows with unsanitized paths
Large number of past critical severity CVEs
Large number of past high severity CVEs
Vulnerability history includes Code Injection
Vulnerability history includes Path Traversal
Vulnerability history includes Unrestricted Upload
Vulnerability history includes Missing Authorization
Recent vulnerability reported (2025-02-24)

Vulnerabilities

Iptanus File Upload Security Vulnerabilities

CVEs by Year

2 CVEs in 2014

2014

4 CVEs in 2015

2015

1 CVE in 2016

2016

2 CVEs in 2018

2018

1 CVE in 2020

2020

3 CVEs in 2022

2022

2 CVEs in 2023

2023

7 CVEs in 2024

2024

5 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

27 total CVEs

CVE-2024-13494medium · 4.3Cross-Site Request Forgery (CSRF)

WordPress File Upload <= 4.25.2 - Cross-Site Request Forgery in wfu_file_details

Feb 24, 2025 Patched in 4.25.3 (1d)

CVE-2024-11635critical · 9.8Improper Control of Generation of Code ('Code Injection')

WordPress File Upload <= 4.24.12 - Unuathenticated Remote Code Execution

Jan 7, 2025 Patched in 4.24.14 (76d)

CVE-2024-11613critical · 9.8Improper Control of Generation of Code ('Code Injection')

WordPress File Upload <= 4.24.15 - Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion

Jan 7, 2025 Patched in 4.25.0 (77d)

CVE-2024-9939high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WordPress File Upload <= 4.24.13 - Unauthenticated Path Traversal to Arbitrary File Read in wfu_file_downloader.php

Jan 7, 2025 Patched in 4.24.14 (77d)

CVE-2024-12719medium · 4.3Missing Authorization

WordPress File Upload <= 4.24.15 - Missing Authorization to Authenticated (Subscriber+) Limited Path Traversal

Jan 6, 2025 Patched in 4.25.0 (1d)

CVE-2024-9047critical · 9.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WordPress File Upload <= 4.24.11 - Unauthenticated Path Traversal to Arbitrary File Read and Deletion in wfu_file_downloader.php

Oct 11, 2024 Patched in 4.24.12 (1d)

CVE-2024-7301high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Upload <= 4.24.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

Aug 15, 2024 Patched in 4.24.9 (1d)

CVE-2024-39639medium · 5.4Missing Authorization

WordPress File Upload <= 4.24.7 - Missing Authorization

Aug 1, 2024 Patched in 4.24.8 (8d)

CVE-2024-6494high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Upload <= 4.24.7 - Unauthenticated Stored Cross-Site Scripting

Jul 16, 2024 Patched in 4.24.8 (25d)

CVE-2024-6651medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Upload <= 4.24.7 - Reflected Cross-Site Scripting

Jul 16, 2024 Patched in 4.24.8 (25d)

CVE-2024-5852medium · 4.3Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WordPress File Upload <= 4.24.7 - Authenticated (Contributor+) Directory Traversal

Jul 15, 2024 Patched in 4.24.8 (1d)

CVE-2024-2847medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Upload <= 4.24.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Mar 29, 2024 Patched in 4.24.6 (64d)

WF-b6048088-c11c-4741-8dde-da707f8f84f2-wp-file-uploadmedium · 4.3Cross-Site Request Forgery (CSRF)

Wordpress File Upload 4.24.0 - Cross-Site Request Forgery

Nov 14, 2023 Patched in 4.24.1 (70d)

CVE-2023-4811medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordpress File Upload <= 4.23.2 - Authenticated(Administrator+) Stored Cross-Site Scripting

Sep 12, 2023 Patched in 4.23.3 (133d)

WF-7534f2e5-a296-4c54-99e3-d84f5c9a5b51-wp-file-uploadmedium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Upload <= 4.16.3 - Cross-Site Scripting

May 15, 2022 Patched in 4.16.4 (618d)

CVE-2021-24960medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Upload <= 4.16.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Malicious SVG

Feb 14, 2022 Patched in 4.16.3 (708d)

CVE-2021-24961medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Upload <= 4.16.2 - Authenticated Stored Cross-Site Scripting via Shortcode

Feb 14, 2022 Patched in 4.16.3 (708d)

CVE-2020-10564critical · 9.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WordPress File Upload <= 4.12.2 - Directory Traversal to Remote Code Execution

Mar 13, 2020 Patched in 4.13.0 (1558d)

CVE-2018-9844medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Upload <= 4.3.3 - Stored Cross-Site Scripting

Apr 6, 2018 Patched in 4.3.4 (2118d)

CVE-2018-9172medium · 4.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Upload <= 4.3.2 - Cross-Site Scripting via Shortcodes

Mar 31, 2018 Patched in 4.3.3 (2124d)

WF-8ada8a27-752c-4726-b330-895b967ea290-wp-file-uploadcritical · 9.8Unrestricted Upload of File with Dangerous Type

WordPress File Upload < 3.9.0 - Arbitrary File Upload

Jun 23, 2016 Patched in 3.9.0 (2770d)

CVE-2015-9341critical · 9.8Unrestricted Upload of File with Dangerous Type

WordPress File Upload <= 3.4.0 - Arbitrary File Upload

Oct 29, 2015 Patched in 3.4.1 (3008d)

CVE-2015-9340critical · 9.8Unrestricted Upload of File with Dangerous Type

WordPress File Upload < 3.0.0 - Arbitrary File Upload

Jul 2, 2015 Patched in 3.0.0 (3127d)

CVE-2015-9339high · 8.2Unrestricted Upload of File with Dangerous Type

WordPress File Upload < 2.7.1 - Arbitrary File Upload

May 9, 2015 Patched in 2.7.1 (3181d)

CVE-2015-9338critical · 9.8Unrestricted Upload of File with Dangerous Type

WordPress File Upload <= 2.4.6 - Arbitrary File Upload

Jan 23, 2015 Patched in 2.5.0 (3287d)

CVE-2014-125110medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Upload <= 2.4.3 - Reflected Cross-Site Scripting

Aug 20, 2014 Patched in 2.4.4 (3536d)

CVE-2014-5199medium · 6.3Cross-Site Request Forgery (CSRF)

WordPress File Upload < 2.4.2 - Cross-Site Request Forgery

Aug 8, 2014 Patched in 2.4.2 (3455d)

Code Analysis

Analyzed Mar 16, 2026

Iptanus File Upload Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

101 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

94% escaped108 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

wfu_read_downloader_data (wfu_file_downloader.php:23)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

27 unprotected

Iptanus File Upload Attack Surface

Entry Points29

Unprotected27

AJAX Handlers 27

authwp_ajax_wfu_ajax_actionwfu_loader.php:68

noprivwp_ajax_wfu_ajax_actionwfu_loader.php:69

authwp_ajax_wfu_ajax_action_ask_serverwfu_loader.php:70

noprivwp_ajax_wfu_ajax_action_ask_serverwfu_loader.php:71

authwp_ajax_wfu_ajax_action_cancel_uploadwfu_loader.php:72

noprivwp_ajax_wfu_ajax_action_cancel_uploadwfu_loader.php:73

authwp_ajax_wfu_ajax_action_send_email_notificationwfu_loader.php:74

noprivwp_ajax_wfu_ajax_action_send_email_notificationwfu_loader.php:75

authwp_ajax_wfu_ajax_action_notify_wpfilebasewfu_loader.php:76

noprivwp_ajax_wfu_ajax_action_notify_wpfilebasewfu_loader.php:77

authwp_ajax_wfu_ajax_action_save_shortcodewfu_loader.php:78

authwp_ajax_wfu_ajax_action_check_page_contentswfu_loader.php:79

authwp_ajax_wfu_ajax_action_read_subfolderswfu_loader.php:80

authwp_ajax_wfu_ajax_action_download_file_invokerwfu_loader.php:81

noprivwp_ajax_wfu_ajax_action_download_file_invokerwfu_loader.php:82

authwp_ajax_wfu_ajax_action_download_file_monitorwfu_loader.php:83

noprivwp_ajax_wfu_ajax_action_download_file_monitorwfu_loader.php:84

authwp_ajax_wfu_ajax_action_edit_shortcodewfu_loader.php:85

authwp_ajax_wfu_ajax_action_gutedit_shortcodewfu_loader.php:86

authwp_ajax_wfu_ajax_action_get_historylog_pagewfu_loader.php:87

authwp_ajax_wfu_ajax_action_get_uploadedfiles_pagewfu_loader.php:88

authwp_ajax_wfu_ajax_action_get_adminbrowser_pagewfu_loader.php:89

authwp_ajax_wfu_ajax_action_get_remotefiles_pagewfu_loader.php:90

authwp_ajax_wfu_ajax_action_include_filewfu_loader.php:91

authwp_ajax_wfu_ajax_action_update_envarwfu_loader.php:92

authwp_ajax_wfu_ajax_action_transfer_commandwfu_loader.php:93

authwp_ajax_wfu_ajax_action_pdusers_get_userswfu_loader.php:94

Shortcodes 2

[wordpress_file_upload] wfu_loader.php:40

[wfu_block_inline_js] wfu_loader.php:42

WordPress Hooks 18

actionplugins_loadedwfu_loader.php:47

actioninitwfu_loader.php:50

actionwidgets_initwfu_loader.php:52

actionadmin_initwfu_loader.php:54

actionadmin_menuwfu_loader.php:55

actionwp_enqueue_scriptswfu_loader.php:58

actionwp_enqueue_scriptswfu_loader.php:59

actionwp_before_admin_bar_renderwfu_loader.php:62

actionwp_before_admin_bar_renderwfu_loader.php:64

actionparse_comment_querywfu_loader.php:66

actionshow_user_profilewfu_loader.php:96

actionedit_user_profilewfu_loader.php:97

actionpersonal_options_updatewfu_loader.php:98

actionedit_user_profile_updatewfu_loader.php:99

actionwfu_daily_scheduled_eventswfu_loader.php:100

actionattachment_submitbox_misc_actionswfu_loader.php:102

filterwfu_before_uploadwfu_loader.php:104

filter_wfu_before_uploadwfu_loader.php:106

Maintenance & Trust

Iptanus File Upload Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 20, 2025

PHP min version

Downloads1.4M

Community Trust

Rating88/100

Number of ratings118

Active installs10K

Alternatives

Iptanus File Upload Alternatives

Drag and Drop Multiple File Upload for Contact Form 7

drag-and-drop-multiple-file-upload-contact-form-7

This simple plugin create Drag & Drop or choose Multiple File upload in your Confact Form 7 Forms.

60K 14 CVEs

Contact Form By Mega Forms – Drag and Drop Form Builder

mega-forms

Contact form builder that allows you to create forms for any purpose. Drag & drop form fields to build modern, professional contact forms in minutes.

200 2 CVEs

MultiLine Files for Contact Form 7

multiline-files-for-contact-form-7

Upload unlimited files to Contact Form 7 with an intuitive interface, file management, and automatic ZIP compression for email delivery.

10K 1 CVE

Drag and Drop Multiple File Upload for WooCommerce

drag-and-drop-multiple-file-upload-for-woocommerce

Drag and Drop Multiple File Uploader is a simple, straightforward WordPress plugin extension for WooCommerce.

5K 4 CVEs

Multifile Upload Field for Contact Form 7

multifile-upload-field-for-contact-form-7

Multiple files upload field addon for Contact Form 7

5K No CVEs

Developer Profile

Iptanus File Upload Developer Profile

nickboss

1 plugin · 10K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

1139 days

View full developer profile

Detection Fingerprints

How We Detect Iptanus File Upload

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-file-upload/css/wfu_frontend.css/wp-content/plugins/wp-file-upload/css/wfu_admin.css/wp-content/plugins/wp-file-upload/css/wfu_editor_plugin.css/wp-content/plugins/wp-file-upload/css/wfu_materialize.css/wp-content/plugins/wp-file-upload/css/wfu_bootstrap.css/wp-content/plugins/wp-file-upload/css/wfu_bootstrap_theme.css/wp-content/plugins/wp-file-upload/css/wfu_dark_theme.css/wp-content/plugins/wp-file-upload/css/wfu_light_theme.css+11 more

Script Paths

/wp-content/plugins/wp-file-upload/js/wfu_frontend.js/wp-content/plugins/wp-file-upload/js/wfu_admin.js/wp-content/plugins/wp-file-upload/js/wfu_editor_plugin.js/wp-content/plugins/wp-file-upload/js/wfu_materialize.js/wp-content/plugins/wp-file-upload/js/wfu_bootstrap.js/wp-content/plugins/wp-file-upload/js/wfu_bootstrap_theme.js+4 more

Version Parameters

wp-file-upload/css/wfu_frontend.css?ver=wp-file-upload/css/wfu_admin.css?ver=wp-file-upload/css/wfu_editor_plugin.css?ver=wp-file-upload/css/wfu_materialize.css?ver=wp-file-upload/css/wfu_bootstrap.css?ver=wp-file-upload/css/wfu_bootstrap_theme.css?ver=wp-file-upload/css/wfu_dark_theme.css?ver=wp-file-upload/css/wfu_light_theme.css?ver=wp-file-upload/css/wfu_premium_theme.css?ver=wp-file-upload/js/wfu_frontend.js?ver=wp-file-upload/js/wfu_admin.js?ver=wp-file-upload/js/wfu_editor_plugin.js?ver=wp-file-upload/js/wfu_materialize.js?ver=wp-file-upload/js/wfu_bootstrap.js?ver=wp-file-upload/js/wfu_bootstrap_theme.js?ver=wp-file-upload/js/wfu_dark_theme.js?ver=wp-file-upload/js/wfu_light_theme.js?ver=wp-file-upload/js/wfu_premium_theme.js?ver=wp-file-upload/js/tinymce/tinymce.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

wfu_containerwfu_backend_containerwfu_frontend_containerwfu_buttonwfu_upload_buttonwfu_progress_barwfu_file_listwfu_file_item+8 more

HTML Comments

Data Attributes

data-wfu-iddata-wfu-uploadurldata-wfu-maxfilesizedata-wfu-allowedtypesdata-wfu-buttontextdata-wfu-droptext+3 more

JS Globals

WFU_FrontendWFU_Adminwfu_paramswfu_ajax_object

REST Endpoints

/wp-json/wpfileuploader/v1/upload/wp-json/wpfileuploader/v1/get_file_list

Shortcode Output

[wordpress_file_upload]

FAQ