High

CVE-2016-20075: Security Advisory

CVE-2016-20075 CVSS 8.8
Who it affects
WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality.
What to do
Apply the vendor's update in your next patch window.
Deploy the fix with Action1AutomoxManageEngine Patch Manager PlusManageEngine Endpoint Central Are you exposed? Compare patch tools →

CVE-2016-20075 is a high-severity vulnerability (CVSS 8.8).

Summary

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the Products tab custom file field and access them via the upcp-product-file-uploads directory to execute arbitrary code on the server.

Remediation

Apply the vendor’s update during your next patch window and verify exposure. Patch-management tools that can deploy and verify the fix include Action1, Automox, ManageEngine Patch Manager Plus, ManageEngine Endpoint Central. See our best patch management ranking.

Sources

Data as of June 16, 2026. Sources: nvd.nist.gov, etoilewebdesign.com, exploit-db.com, vulncheck.com. Figures are pulled from public vendor and security data and refreshed automatically.