Skip to main content

Feed Comments Number CVE-2024-49216

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-16 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 29, 2026 - 10:22 NVD
10.0 (CRITICAL)
CVE Published
Oct 16, 2024 - 14:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in jclay06 Feed Comments Number feed-comments-number allows Upload a Web Shell to a Web Server.This issue affects Feed Comments Number: from n/a through <= 0.2.1.

AnalysisAI

Unrestricted file upload in the Feed Comments Number WordPress plugin (jclay06, versions through 0.2.1) allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The maximum CVSS 10.0 score with scope-changed impact reflects complete confidentiality, integrity, and availability loss, though no public exploit identified at time of analysis and EPSS sits at 0.97% indicating modest near-term exploitation likelihood.

Technical ContextAI

The vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw where an application's file upload handler fails to validate the file extension, MIME type, or content before writing it to a web-accessible directory. In WordPress plugin ecosystems, this typically means an upload endpoint either lacks a server-side allow-list check or trusts client-supplied content-type headers. Feed Comments Number is a third-party WordPress plugin authored by jclay06 that augments feed comment count display; the affected branch covers all versions up to and including 0.2.1. Because the resulting file lands inside the WordPress uploads directory (executable by PHP), attackers can drop a .php web shell and request it directly via HTTP.

Affected ProductsAI

The vulnerability affects the WordPress plugin Feed Comments Number authored by jclay06, all versions from initial release through and including 0.2.1, with no lower bound specified ('from n/a'). No CPE string was provided in the source intelligence, and no vendor advisory URL was supplied beyond the Patchstack reporter attribution; defenders should consult patchstack.com/database for the canonical advisory and confirm CPE coverage via NVD before scanning.

RemediationAI

No vendor-released patch identified at time of analysis based on the supplied data - the description indicates the issue affects 'up to and including 0.2.1' without naming a fixed version. The strongest compensating control is to deactivate and remove the Feed Comments Number plugin from all WordPress installations until a fixed release is published; given the plugin's narrow function (displaying comment counts in feeds) removal carries minimal operational impact. Until removal is possible, restrict access to wp-admin and the plugin's upload endpoints via web-server-level authentication or IP allow-listing, deny PHP execution within wp-content/uploads via an .htaccess or nginx location rule (side effect: may break other plugins that legitimately stage PHP there), and deploy a WAF rule blocking multipart uploads with executable extensions to the plugin's handler URI. Monitor wp-content/uploads for newly-written .php, .phtml, or .phar files and alert on any.

Share

CVE-2024-49216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy