A vulnerability labeled as critical has been found in wpmessiah Swiss Toolkit for WP Plugin up to 1.4.6 on WordPress. This issue affects the function upload_extension_files of the component File Upload. Such manipulation of the argument filename leads to unrestricted upload.

This vulnerability is traded as CVE-2026-2354. The attack may be launched remotely. There is no exploit available.