Skip to main content

Digital Lottery CVE-2024-49242

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-16 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 29, 2026 - 10:22 NVD
10.0 (CRITICAL)
CVE Published
Oct 16, 2024 - 14:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Shafiq Digital Lottery digital-lottery allows Upload a Web Shell to a Web Server.This issue affects Digital Lottery: from n/a through <= 3.0.5.

AnalysisAI

Unrestricted file upload in the Shafiq Digital Lottery WordPress plugin (versions up to and including 3.0.5) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score with scope-change reflects that successful exploitation extends impact beyond the plugin to the entire hosting environment, and no public exploit identified at time of analysis though Patchstack disclosure typically accompanies plugin-level POCs.

Technical ContextAI

Digital Lottery is a WordPress plugin by Shafiq Digital used to run lottery-style functionality on WordPress sites. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the plugin's file upload handler fails to validate file extensions, MIME types, or content against an allowlist, permitting attackers to submit executable PHP files (web shells) into a web-accessible directory. Once uploaded, the PHP interpreter executes the shell on subsequent HTTP requests, granting attacker-controlled code execution under the web server user context.

Affected ProductsAI

Shafiq Digital Lottery WordPress plugin, all versions from unspecified initial release through and including 3.0.5. The Patchstack advisory (audit@patchstack.com is the reporting source) is the authoritative reference; consult patchstack.com/database for the specific advisory. No CPE string was provided in the input data, and no upper-bound fixed version is identified in the available intelligence.

RemediationAI

No vendor-released patch identified at time of analysis - the affected range extends through the latest known version 3.0.5 with no fixed version cited. Site administrators should immediately deactivate and remove the Digital Lottery plugin until Shafiq Digital publishes a patched release, then monitor the Patchstack advisory database for fix availability. As compensating controls, restrict access to the plugin's upload endpoints via web server rules (e.g., .htaccess deny rules on the plugin's upload handler URL), disable PHP execution in WordPress uploads directories using a PHP handler block in nginx/Apache config (side effect: may break legitimate plugins that rely on dynamic content in uploads), and deploy a WAF rule blocking multipart POSTs containing PHP file extensions to the plugin's endpoints. Audit the wp-content/uploads directory for suspicious .php, .phtml, or .phar files indicating prior compromise.

Share

CVE-2024-49242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy