Feed Comments Number CVE-2024-49216
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in jclay06 Feed Comments Number feed-comments-number allows Upload a Web Shell to a Web Server.This issue affects Feed Comments Number: from n/a through <= 0.2.1.
AnalysisAI
Unrestricted file upload in the Feed Comments Number WordPress plugin (jclay06, versions through 0.2.1) allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The maximum CVSS 10.0 score with scope-changed impact reflects complete confidentiality, integrity, and availability loss, though no public exploit identified at time of analysis and EPSS sits at 0.97% indicating modest near-term exploitation likelihood.
Technical ContextAI
The vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw where an application's file upload handler fails to validate the file extension, MIME type, or content before writing it to a web-accessible directory. In WordPress plugin ecosystems, this typically means an upload endpoint either lacks a server-side allow-list check or trusts client-supplied content-type headers. Feed Comments Number is a third-party WordPress plugin authored by jclay06 that augments feed comment count display; the affected branch covers all versions up to and including 0.2.1. Because the resulting file lands inside the WordPress uploads directory (executable by PHP), attackers can drop a .php web shell and request it directly via HTTP.
Affected ProductsAI
The vulnerability affects the WordPress plugin Feed Comments Number authored by jclay06, all versions from initial release through and including 0.2.1, with no lower bound specified ('from n/a'). No CPE string was provided in the source intelligence, and no vendor advisory URL was supplied beyond the Patchstack reporter attribution; defenders should consult patchstack.com/database for the canonical advisory and confirm CPE coverage via NVD before scanning.
RemediationAI
No vendor-released patch identified at time of analysis based on the supplied data - the description indicates the issue affects 'up to and including 0.2.1' without naming a fixed version. The strongest compensating control is to deactivate and remove the Feed Comments Number plugin from all WordPress installations until a fixed release is published; given the plugin's narrow function (displaying comment counts in feeds) removal carries minimal operational impact. Until removal is possible, restrict access to wp-admin and the plugin's upload endpoints via web-server-level authentication or IP allow-listing, deny PHP execution within wp-content/uploads via an .htaccess or nginx location rule (side effect: may break other plugins that legitimately stage PHP there), and deploy a WAF rule blocking multipart uploads with executable extensions to the plugin's handler URI. Monitor wp-content/uploads for newly-written .php, .phtml, or .phar files and alert on any.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today