CVE-2019-19576
9.8 CRITICALclass.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla
Published: 2019-12-04 · Last updated: 2026-06-26
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-434
Affected products
| Vendor | Product |
|---|---|
| joomlaworks | k2, verot |
| verot_project | k2, verot |
Description
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2019-19576
- [Exploit reference]http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html
- [Patch]https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124
- [Exploit reference]https://github.com/jra89/CVE-2019-19576
- [Patch]https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1
- [Patch]https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2
- [Patch]https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3
- [Patch]https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4
- [Other]https://medium.com/%40jra8908/cve-2019-19576-e9da712b779
- [Other]https://www.verot.net
- [Vendor advisory]https://www.verot.net/php_class_upload.htm
- [Exploit reference]http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html
- [Patch]https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124
- [Exploit reference]https://github.com/jra89/CVE-2019-19576
- [Patch]https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1
- [Patch]https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2
- [Patch]https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3
- [Patch]https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4
- [Other]https://medium.com/%40jra8908/cve-2019-19576-e9da712b779
- [Other]https://www.verot.net
- [Vendor advisory]https://www.verot.net/php_class_upload.htm
Related CVEs
Same vendor
- CVE-2019-19634 — class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla (9.8 CRITICAL)
Same CWE
- CVE-2026-40750 — Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
- CVE-2026-6933 — The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and inclu... (8.8 HIGH)
- CVE-2026-40772 — Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions (10.0 CRITICAL)
- CVE-2026-39591 — Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions (9.9 CRITICAL)
- CVE-2026-39527 — Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions (5.4 MEDIUM)