CVE-2024-10590
CVSS 3.1 Score 8.8 of 10 (high)
Details
Published Dec 12, 2024
CWE ID 434
Summary
CVE-2024-10590 is a vulnerability affecting the Opt-In Downloads plugin for WordPress. The issue lies in the admin_upload() function, which lacks file type validation. This oversight allows authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on vulnerable sites. While the impact on Apache servers is limited, the presence of an .htaccess file makes this vulnerability exploitable for remote code execution on NGINX servers. All versions of the plugin up to 4.07 are affected.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Share