Skip to main content

WP REST API FNS CVE-2024-49329

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-20 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL) 10.0 (CRITICAL)
CVE Published
Oct 20, 2024 - 09:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in vivek2tamrakar WP REST API FNS rest-api-fns allows Upload a Web Shell to a Web Server.This issue affects WP REST API FNS: from n/a through <= 1.0.0.

AnalysisAI

Unrestricted file upload in the WP REST API FNS WordPress plugin (vivek2tamrakar) through version 1.0.0 allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects network-reachable, no-authentication exploitation with scope change and complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS sits at 0.80% (74th percentile) indicating moderate but not yet high exploitation likelihood.

Technical ContextAI

The affected component is the WP REST API FNS plugin for WordPress (CPE cpe:2.3:a:vivektamrakar:wp_rest_api_fns), which extends WordPress's REST API surface. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin accepts file uploads without adequately validating file extension, MIME type, or content, permitting PHP or other executable payloads to land in a web-accessible directory. Because WordPress executes PHP files served from its document root, a successful upload of a .php web shell is directly invocable via HTTP, converting an upload primitive into remote code execution under the web server user.

RemediationAI

No vendor-released patch identified at time of analysis - the advisory indicates the issue affects versions through <= 1.0.0 with no fixed version specified. Defenders should deactivate and remove the WP REST API FNS plugin from affected WordPress sites until a maintainer-issued update appears on the WordPress.org plugin directory or Patchstack advisory feed, since this single action eliminates the vulnerable code path entirely with the trade-off of losing whatever REST API extension functionality the plugin provided. As compensating controls if removal is not immediately possible, restrict access to the plugin's REST API upload endpoints via a WAF rule (Patchstack, Wordfence, or equivalent), enforce PHP execution restrictions in wp-content/uploads via .htaccess or nginx location rules (side effect: may break legitimate plugins that rely on executable uploads), and monitor uploads directories for newly created .php, .phtml, or .phar files.

Share

CVE-2024-49329 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy