CVE-2019-19634
9.8 CRITICALclass.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla
Published: 2019-12-17 · Last updated: 2026-06-26
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-434
Affected products
| Vendor | Product |
|---|---|
| joomlaworks | k2, verot |
| verot_project | k2, verot |
Description
class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2019-19634
- [Other]https://github.com/jra89/CVE-2019-19634
- [Exploit reference]https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068
- [Other]https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e
- [Other]https://github.com/jra89/CVE-2019-19634
- [Exploit reference]https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068
- [Other]https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e
Related CVEs
Same vendor
- CVE-2019-19576 — class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla (9.8 CRITICAL)
Same CWE
- CVE-2026-40750 — Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
- CVE-2026-6933 — The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and inclu... (8.8 HIGH)
- CVE-2026-40772 — Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions (10.0 CRITICAL)
- CVE-2026-39591 — Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions (9.9 CRITICAL)
- CVE-2026-39527 — Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions (5.4 MEDIUM)