Skip Navigation

[Resolved] Authenticated Arbitrary File Upload Vulnerability in Types

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Our next available supporter will start replying to tickets in about 6.33 hours from now. Thank you for your understanding.

This topic contains 4 replies, has 2 voices.

Last updated by Christopher Amirian 9 months, 1 week ago.

Assisted by: Christopher Amirian.


I got this warning today from my hosting provider about all of my sites that uses Toolset:

WordPress Toolset Types plugin <= 3.4.17 - Authenticated Arbitrary File Upload Vulnerability

Are you working on a resolution?


Christopher Amirian

Languages: English (English )

Hi there,

As we did not have such a report before I'd appreciate it if you can ask for more details about the issue that is happening so we can investigate:

1. What is the issue and which file is involved.
2. Which tool they used to check and conclude that the issue is there,
3. Share with us the log of the issue and we will follow up


The warning came from the hosting provider (InMotionHosting) and was attributed to their WP Toolkit. More details are available here where it also says the vulnerability has been reported to Toolset:

hidden link


Christopher Amirian

Languages: English (English )

Thank you for that. I reported this to the second-tier and we will check this asap to see what is the issue.


Christopher Amirian

Languages: English (English )

Hi there,

We have a new release with the fix implemented.

Please either go to to download Toolset types version 3.4.18.
Or go to WordPress Dashboard > Plugins > Add New and click the "Check for Updates" button to see the new version to install.

Thank you.

This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.