Urgent: Arbitrary File Upload in WooCommerce License Manager (CVE-2026-28114) — What WordPress Site Owners Must Do Now

Published: 26 February 2026

As a Hong Kong security expert I summarise the immediate risk and practical steps for site owners and administrators. A security advisory published on 26 February 2026 identifies an arbitrary file upload vulnerability in the WooCommerce License Manager plugin (commonly installed as “WooCommerce License Manager” / CodeCanyon package). Versions up to and including 7.0.6 are affected; a patch is available in version 7.0.7.

This vulnerability allows any authenticated user with the Shop Manager privilege to upload arbitrary files. If a malicious or compromised Shop Manager account uploads a PHP file or other executable code, it can lead to persistent remote code execution (RCE) and full site compromise. Web shells and backdoors are commonly uploaded through this class of vulnerability, so treat affected sites as high priority for immediate remediation.

In this post I explain:

• why this vulnerability is dangerous;
• how attackers would abuse it;
• how to detect potential compromise;
• emergency mitigations you can apply now (including WAF rule concepts);
• how to remediate and harden your site;
• long-term controls for site owners and plugin developers.

TL;DR (Quick actions)

1. If you run WooCommerce License Manager: update to 7.0.7 immediately.
2. If you cannot update right now: deactivate the plugin, or apply an emergency WAF rule that blocks file uploads to the plugin endpoints and multipart/form-data POSTs that include executable extensions.
3. Review user accounts with Shop Manager privileges; remove or audit any untrusted accounts.
4. Scan your uploads directory and site for web-shells and suspicious files; inspect logs for newly created files and unusual admin activity.
5. Harden PHP execution in uploads (deny execution via .htaccess or nginx rules) and enable file integrity monitoring.
6. If you need assistance with investigation or remediation, engage a qualified incident responder rather than relying on unvetted fixes.

What the vulnerability is (plain language)

• Vulnerability type: Arbitrary file upload.
• Affected versions: ≤ 7.0.6 (patched in 7.0.7).
• CVE: CVE-2026-28114.
• Required privilege: Shop Manager (authenticated non-admin role in WooCommerce).
• Impact: An authenticated Shop Manager can upload unvalidated files which may be stored in web-accessible directories. Uploading PHP or other executable files can lead to RCE, privilege escalation and persistent backdoors.
• Exploitability: High — only Shop Manager authentication is required. Many stores grant this role to staff or third parties.

Because the vulnerability allows content to be written to disk without proper filtering, attackers can upload web shells, reverse shells or other payloads for full site takeover or lateral movement in the hosting environment.

Realistic attack scenarios

1. Malicious employee or contractor: A rogue Shop Manager uploads a backdoor via the plugin’s UI or media uploader and then accesses it.
2. Compromised Shop Manager credentials: Weak/reused passwords let attackers obtain a Shop Manager account and upload a shell.
3. Social engineering: An attacker convinces a legitimate Shop Manager to upload a file (e.g., “please upload this licensing file”) containing malicious code.
4. Automated exploitation: After a public advisory appears, automated scanners and botnets will search for vulnerable installations and attempt uploads.

Sites with multiple shop staff accounts, third-party service accounts, or poor account hygiene are at higher risk.

Indicators of compromise (IoCs) — what to look for right now

Inspect your site for these signs:

• New or unexpected PHP/PHTML files in:
  • /wp-content/uploads/
  • /wp-content/uploads/*/ (subdirectories)
  • /wp-content/plugins/fs-license-manager/ (plugin folders)
  • /wp-content/uploads/license_files/ or any custom upload folders introduced by the plugin
• Files with double extensions (e.g., image.php.jpg, shell.php.txt).
• Recently modified files with suspicious or random names.
• Suspicious admin activity:
  • New Shop Manager users created.
  • Login activity from unusual IPs or geolocations.
  • Admin actions outside normal hours.
• Web server logs showing:
  • POST requests with multipart/form-data to plugin endpoints (URIs with “license”, “fs-license-manager”, etc.).
  • Requests for unusual filenames such as /wp-content/uploads/2026/02/abc.php.
  • Requests to execute uploaded files returning 200 for .php files under uploads.
• Outbound connection attempts from the site (indicating reverse shells).
• Unexpected scheduled tasks (wp_cron entries) that run PHP files in uploads or plugin directories.

If you see any of these, assume compromise and escalate your incident response immediately.

Immediate steps (emergency remediation — do these now)

1. Update plugin to 7.0.7

   The patch is the definitive fix. Update through WordPress admin or WP-CLI: wp plugin update <plugin-slug> --version=7.0.7.

2. If you cannot update immediately:
   • Deactivate the plugin.
   • Or apply a virtual patch with a WAF that blocks uploads to the plugin’s admin endpoints and multipart POSTs that include dangerous file extensions.
3. Audit Shop Manager accounts:
   • Remove or temporarily disable any accounts you do not absolutely trust.
   • Force password resets for Shop Manager users.
   • Enable 2FA for admin and Shop Manager accounts where possible.
4. Restrict access to wp-admin by IP where feasible (especially for Shop Manager and admin pages).
5. Put the site into maintenance mode if you suspect active exploitation while you investigate.
6. Make a full backup (filesystem + database) before changing or deleting anything—retain it for forensics.

How a WAF helps right away

A WAF can provide virtual patching: it blocks exploit attempts at the edge while you test and deploy the plugin update. Even simple rules that block multipart/form-data POSTs to the plugin upload endpoints or block filenames with executable extensions will reduce automated exploitation and buy time.

Below are WAF rule concepts you can adapt to your WAF/appliance. Test in staging before production to avoid disrupting legitimate admin tasks.

WAF rule concepts

• Block POSTs to plugin upload endpoints
  • Match URI: regex for (fs-license-manager|woocommerce-license-manager|license-manager)
  • Condition: request method is POST and Content-Type contains multipart/form-data
  • Action: block and log
• Block uploads where filename extension is executable
  • Filename regex: \.(php(?:[0-9]*)|phtml|pl|py|jsp|asp|aspx|exe|sh|bash|cgi)$
  • Action: block
• Deny double extension attempts
  • Filename regex: \.(?:php(?:[0-9]*)|phtml)\.(?:jpe?g|png|gif|txt|pdf)$
  • Action: block
• Block requests containing obvious web‑shell payloads
  • Request body contains regex like: <\?php | base64_decode\( | eval\( | system\( | shell_exec\( | passthru\( | preg_replace\(.*/e
  • Action: block

Example (mod_security-style pseudo-rule):

SecRule REQUEST_URI "@rx /(?:fs-license-manager|woocommerce-license-manager|license-manager)" \
  "phase:2,deny,log,status:403,msg:'Block potential license manager file upload exploit',id:100001,\
   chain"
  SecRule REQUEST_METHOD "@streq POST" \
    "chain"
    SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" \
      "chain"
      SecRule FILES_NAMES "@rx \.(?:php(?:[0-9]*)|phtml|pl|py|sh|bash|cgi|exe)$" "t:none"
  

Note: test any WAF rule in a non-production environment first; false positives can block legitimate admin actions. If you use a managed WAF service or hosting provider protection, ask them to apply targeted rules for these plugin endpoints.

File system and server hardening (critical)

Even with the plugin patched, hardening the server configuration to prevent execution of uploaded files is essential.

Apache (.htaccess) example to neutralise PHP execution in uploads

# Place this in /wp-content/uploads/.htaccess
<IfModule mod_php7.c>
  php_flag engine off
</IfModule>

<FilesMatch "\.(php|phtml|php3|php4|php5|phps|pl|py|cgi|asp|aspx)$">
  Require all denied
</FilesMatch>
  

Nginx example (site config) to deny access and execution

location ~* ^/wp-content/uploads/.*\.(php|phtml|php3|php4|php5|phps|pl|py|cgi|asp|aspx)$ {
    return 403;
}

location /wp-content/uploads/ {
    try_files $uri $uri/ =404;
    access_log off;
    expires max;
    add_header X-Content-Type-Options nosniff;
}
  

Other server hardening recommendations:

• Ensure PHP processes cannot be run from writable directories (open_basedir, disable_functions).
• Run webserver/php-fpm with least privilege; the webserver user should only have necessary write permissions for uploads.
• Enable file integrity monitoring and alerts for changes to wp-content, wp-config.php and other critical files.
• Use read-only permissions for core plugin and theme files where possible.

Deep scan and remediation checklist (if you suspect compromise)

1. Back up the site (filesystem + database) and take a snapshot for forensics; do not restore blindly.
2. Run a full malware scan across:
   • wp-content/uploads
   • wp-content/plugins
   • wp-content/themes
   • root directories
3. Look for suspicious functions: preg_replace /e, eval, base64_decode, gzinflate, system, exec, passthru, proc_open, popen, shell_exec, create_function, assert.
4. Search for obfuscated PHP (large base64 strings, compressed payloads).
5. Inspect wp_options for suspicious autoloaded entries and rogue cron jobs.
6. Check active plugins for modified files (compare to official upstream checksums).
7. Revoke and rotate credentials that may have been used:
   • WordPress admin and Shop Manager passwords
   • FTP/SFTP, hosting control panel, database user
   • API keys and third-party integration credentials
8. Clean or replace compromised files — restoring from a known-good backup is often safer.
9. Remove unknown users and verify legitimate users use strong passwords and 2FA.
10. Monitor outbound connections for callback shells; block suspicious remote addresses temporarily.
11. After cleanup, force a complete password reset and reissue keys where necessary.
12. Re-scan periodically for at least 30 days; attackers often leave secondary backdoors.

If you are unsure how to proceed, engage an experienced incident response specialist. Compromised sites can contain multiple persistence mechanisms that are easy to miss.

Long-term prevention & best practices

• Keep WordPress core, plugins and themes updated; schedule regular maintenance.
• Minimise roles: only assign Shop Manager to people who absolutely need it. Use capability management to restrict upload privileges when possible.
• Require 2FA and enforce strong password policies for all privileged accounts.
• Maintain regular offsite backups and test restores.
• Implement file integrity monitoring and change alerts for critical files.
• Harden server configuration (deny PHP execution in uploads, restrict PHP-FPM pools, use open_basedir).
• Enable centralized logging and monitoring for easier forensic analysis.
• Consider virtual patching via a WAF or hosting provider protections to block exploit attempts while you apply permanent fixes.
• Apply least privilege to filesystem and hosting users.

Guidance for plugin developers (secure coding notes)

If you develop WordPress plugins, particularly those that accept file uploads:

• Validate file content server-side — do not rely on extension checks alone. Verify MIME types and internal file signatures.
• Restrict allowed extensions to a minimal set. For necessary non-image files, verify headers and content.
• Sanitise file names, remove control characters and prevent double extensions (e.g., screenshot.php.jpg).
• Store uploaded files outside the web root or ensure stored files cannot be executed (server rules / .htaccess).
• Use non-guessable file names (hashes) and restrict access through secured endpoints if required.
• Implement capability checks; avoid allowing non-admin roles to upload unvalidated files.
• Sanitise input used in filesystem operations and use secure temporary directories.
• Implement rate limiting and CSRF protections on upload endpoints.
• Have a responsible disclosure process and publish timely security updates.

Sample detection queries for site owners / security teams

Use these commands to find suspicious files and activity:

# Find PHP files in uploads
find wp-content/uploads -type f -iname '*.php' -ls

# Find files modified in the last 30 days
find . -type f -mtime -30 -print

# Search for common web shell patterns
grep -R --line-number -E "eval\(|base64_decode|gzinflate|shell_exec|passthru|proc_open|popen|assert\(|preg_replace\(.*/e" wp-content

# Recently created admin users (DB query)
SELECT user_login, user_email, user_registered FROM wp_users ORDER BY user_registered DESC LIMIT 50;

# Look for suspicious cron entries
SELECT option_name, option_value FROM wp_options WHERE option_name = 'cron' OR option_name LIKE '%cron%';
  

Example WAF rule templates (adapt and test in your environment)

Apply these examples in staging first. Misconfigured rules can block legitimate traffic.

1) Pseudo-mod_security rule to block suspicious uploads

SecRule REQUEST_METHOD "@streq POST" "phase:2,chain,deny,log,status:403,msg:'Block suspicious upload to license manager endpoints',id:900001"
  SecRule REQUEST_URI "@rx (?:/wp-admin/|/wp-admin/admin-ajax.php|/wp-admin/admin-post.php|/wp-json/).*?(?:fs-license-manager|license-manager|woocommerce-license-manager)" "chain"
  SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "chain"
  SecRule FILES_NAMES "@rx \.(?:php(?:[0-9]*)|phtml|pl|py|sh|cgi|exe)$" "t:none"
  

2) Nginx/Lua style deny for uploads containing PHP

if ($request_method = POST) {
  if ($http_content_type ~* "multipart/form-data") {
    set $block_upload 0;
    if ($request_body ~* "\.php\b|\.(phtml|php3|php4)\b|<\?php") {
      set $block_upload 1;
    }
    if ($block_upload = 1) {
      return 403;
    }
  }
}
  

3) Block suspicious scanners

Tune rules to block abusive user agents and known exploit scanners, but be careful to avoid false positives.

Recovery: what to do after cleaning

1. Confirm the site is clean: repeat full scans and verify absence of backdoors and rogue scheduled jobs.
2. Replace keys and rotate passwords for all accounts.
3. Reinstall plugins/themes from official sources to ensure no tampering remains.
4. Monitor logs for at least 30 days for recurring patterns.
5. Notify stakeholders and follow regulatory notification procedures if customer data was exposed.

Why prevention is cheaper than remediation

A single successful RCE can lead to downtime, lost revenue, search engine blacklisting, extensive forensic costs, and potential exposure of customer data with legal consequences. Applying an emergency mitigation (plugin update, deactivation, or WAF rule) is far cheaper than dealing with a full compromise.

Practical closing — prioritized next steps

1. Confirm whether your site runs WooCommerce License Manager. If yes, update to 7.0.7 immediately.
2. Audit Shop Manager accounts and force password resets; enforce 2FA for privileged roles.
3. If you can’t update immediately: deactivate the plugin or apply virtual patching via your WAF or hosting provider protections.
4. Harden webserver settings to prevent PHP execution in uploads.
5. Scan for web shells and suspicious files; follow the remediation checklist if you find indicators of compromise.
6. Engage an experienced incident responder if you detect compromise or are uncertain how to proceed.

Attackers move quickly once a vulnerability is public. Act now, prioritise high-risk sites, and ensure you have monitoring and incident response plans in place.

— Hong Kong Security Expert