Skip to main content

Azz Anonim Posting CVE-2024-49257

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-16 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
10.0 (CRITICAL)
CVE Published
Oct 16, 2024 - 13:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Denis Azz Anonim Posting azz-anonim-posting allows Upload a Web Shell to a Web Server.This issue affects Azz Anonim Posting: from n/a through <= 0.9.

AnalysisAI

Unrestricted file upload in the Azz Anonim Posting WordPress plugin (versions up to and including 0.9) allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the underlying web server. With a CVSS score of 10.0 and a changed scope, successful exploitation yields full server compromise. No public exploit identified at time of analysis, though the EPSS score of 0.82% (74th percentile) suggests moderate but non-trivial exploitation likelihood.

Technical ContextAI

Azz Anonim Posting is a WordPress plugin by Denis (denoted 'Azz') that enables anonymous content posting. The flaw is a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) issue, where the upload handler fails to validate or restrict the file extension, MIME type, or content of files submitted through the plugin's posting interface. Because WordPress executes PHP files within the web root, a dropped .php file is interpreted by the server, turning a file upload primitive into arbitrary code execution under the web server user. The CVSS scope change (S:C) reflects that compromise of the plugin's upload component cascades into the broader WordPress host and any data it can access.

Affected ProductsAI

Azz Anonim Posting WordPress plugin by Denis, all versions from initial release through and including version 0.9, are affected. No specific CPE string was provided in the source data. The vendor advisory is published via Patchstack (audit@patchstack.com is the assigning CNA), where additional version-specific details are typically maintained.

RemediationAI

No vendor-released patch identified at time of analysis - version 0.9 is the latest known version and is itself vulnerable, with no fixed release referenced in the available data. Site administrators should immediately deactivate and remove the Azz Anonim Posting plugin from any WordPress installation until a patched release is published by the maintainer. As a compensating control, restrict access to the plugin's upload endpoint via web server rules (e.g., .htaccess or nginx location blocks) or a WAF rule blocking POST requests to the plugin's upload handler - the trade-off is loss of the anonymous posting feature. Additionally, deny PHP execution within the wp-content/uploads directory via webserver configuration to neutralize dropped web shells, though this will not prevent file writes elsewhere if the plugin uses alternate paths. Consult the Patchstack advisory for any updated mitigation guidance once published.

Share

CVE-2024-49257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy