CVE-2024-10629

Published Nov 13, 2024

Last updated 5 months ago

WordPress

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-10629 is a vulnerability in the GPX Viewer plugin for WordPress, versions 2.2.8 and earlier. Due to insufficient capability checks and a lack of file type validation within the `gpxv_file_upload()` function, authenticated users with subscriber-level access or higher can create arbitrary files on the server hosting the WordPress site. This vulnerability was publicly disclosed on 2024-11-13. Exploits leveraging this vulnerability have been developed that automate the process of uploading malicious files, such as PHP shells, potentially leading to remote code execution.

Description: The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible.
Source: security@wordfence.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

security@wordfence.com: CWE-862

Hype score: Not currently trending

Overview

AI description

Risk scores

CVSS 3.1

Weaknesses

Social media

References