CVE-2024-10590

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Dec 12, 2024
CWE ID 434

Summary

CVE-2024-10590 is a vulnerability affecting the Opt-In Downloads plugin for WordPress. The issue lies in the admin_upload() function, which lacks file type validation. This oversight allows authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on vulnerable sites. While the impact on Apache servers is limited, the presence of an .htaccess file makes this vulnerability exploitable for remote code execution on NGINX servers. All versions of the plugin up to 4.07 are affected.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share