CVE-2024-13418
Last modified
CVE-2024-13418 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files that can make remote code execution possible. EPSS estimates a 0.60% chance of exploitation in the next 30 days.
Description
Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files that can make remote code execution possible. This issue was escalated to Envato over two months from the date of this disclosure and the issue, while partially patched, is still vulnerable.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| G5plus | April | <= 5.1 |
| G5plus | Auteur | <= 7.1 |
| G5plus | Benaa | <= 4.0.0 |
| G5plus | Beyot | <= 6.0.6 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-13418?
How severe is CVE-2024-13418?
How do I fix CVE-2024-13418?
Are you affected by CVE-2024-13418?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST