Skip Navigation

[Resolved] Authenticated Arbitrary File Upload Vulnerability

This thread is resolved. Here is a description of the problem and solution.


There was a Vulnerability report.


Update Toolset plugins to the latest version.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

No supporters are available to work today on Toolset forum. Feel free to create tickets and we will handle it as soon as we are online. Thank you for your understanding.

This topic contains 5 replies, has 2 voices.

Last updated by dbarber 1 year, 3 months ago.

Assisted by: Christopher Amirian.


I received a notification about a site with Toolset plugins that Types 3.4.17 has a vulnerability.

More info: hidden link

Please advise.



Christopher Amirian

Languages: English (English )

Hi there,

Thank you, we will double check this, meanwhile is there any detailed information on which file has the issue mentioned?

Maybe you can give more info?


The original report came from iThemes Security Pro, which you can find here:

hidden link

I've got the raw details from the report. I don't think they'd be helpful, but let me know if you want them.


Christopher Amirian

Languages: English (English )

Hi there,

Thank you very much. I reported this to the second-tier support and will get back to you as soon as I have an update.



Christopher Amirian

Languages: English (English )

Hi there,

We have a new release with the fix implemented.

Please either go to to download Toolset types version 3.4.18.
Or go to WordPress Dashboard > Plugins > Add New and click the "Check for Updates" button to see the new version to install.

Thank you.


Thank you.

This ticket is now closed. If you're a Toolset client and need related help, please open a new support ticket.