Azz Anonim Posting CVE-2024-49257
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Denis Azz Anonim Posting azz-anonim-posting allows Upload a Web Shell to a Web Server.This issue affects Azz Anonim Posting: from n/a through <= 0.9.
AnalysisAI
Unrestricted file upload in the Azz Anonim Posting WordPress plugin (versions up to and including 0.9) allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the underlying web server. With a CVSS score of 10.0 and a changed scope, successful exploitation yields full server compromise. No public exploit identified at time of analysis, though the EPSS score of 0.82% (74th percentile) suggests moderate but non-trivial exploitation likelihood.
Technical ContextAI
Azz Anonim Posting is a WordPress plugin by Denis (denoted 'Azz') that enables anonymous content posting. The flaw is a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) issue, where the upload handler fails to validate or restrict the file extension, MIME type, or content of files submitted through the plugin's posting interface. Because WordPress executes PHP files within the web root, a dropped .php file is interpreted by the server, turning a file upload primitive into arbitrary code execution under the web server user. The CVSS scope change (S:C) reflects that compromise of the plugin's upload component cascades into the broader WordPress host and any data it can access.
Affected ProductsAI
Azz Anonim Posting WordPress plugin by Denis, all versions from initial release through and including version 0.9, are affected. No specific CPE string was provided in the source data. The vendor advisory is published via Patchstack (audit@patchstack.com is the assigning CNA), where additional version-specific details are typically maintained.
RemediationAI
No vendor-released patch identified at time of analysis - version 0.9 is the latest known version and is itself vulnerable, with no fixed release referenced in the available data. Site administrators should immediately deactivate and remove the Azz Anonim Posting plugin from any WordPress installation until a patched release is published by the maintainer. As a compensating control, restrict access to the plugin's upload endpoint via web server rules (e.g., .htaccess or nginx location blocks) or a WAF rule blocking POST requests to the plugin's upload handler - the trade-off is loss of the anonymous posting feature. Additionally, deny PHP execution within the wp-content/uploads directory via webserver configuration to neutralize dropped web shells, though this will not prevent file writes elsewhere if the plugin uses alternate paths. Consult the Patchstack advisory for any updated mitigation guidance once published.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today