CVE Catalog

CVE-2024-58348

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Summary

WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.

Risk Assessment

This vulnerability poses a serious risk to organizations as it allows attackers to execute remote code, potentially leading to server takeover and data breaches.

Recommendation

It is recommended to immediately update the plugin to the latest version that addresses this vulnerability and to conduct a security audit of the server to identify potential threats.

Original NVD description (English source)

WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS