WP REST API FNS CVE-2024-49329
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in vivek2tamrakar WP REST API FNS rest-api-fns allows Upload a Web Shell to a Web Server.This issue affects WP REST API FNS: from n/a through <= 1.0.0.
AnalysisAI
Unrestricted file upload in the WP REST API FNS WordPress plugin (vivek2tamrakar) through version 1.0.0 allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects network-reachable, no-authentication exploitation with scope change and complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS sits at 0.80% (74th percentile) indicating moderate but not yet high exploitation likelihood.
Technical ContextAI
The affected component is the WP REST API FNS plugin for WordPress (CPE cpe:2.3:a:vivektamrakar:wp_rest_api_fns), which extends WordPress's REST API surface. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin accepts file uploads without adequately validating file extension, MIME type, or content, permitting PHP or other executable payloads to land in a web-accessible directory. Because WordPress executes PHP files served from its document root, a successful upload of a .php web shell is directly invocable via HTTP, converting an upload primitive into remote code execution under the web server user.
RemediationAI
No vendor-released patch identified at time of analysis - the advisory indicates the issue affects versions through <= 1.0.0 with no fixed version specified. Defenders should deactivate and remove the WP REST API FNS plugin from affected WordPress sites until a maintainer-issued update appears on the WordPress.org plugin directory or Patchstack advisory feed, since this single action eliminates the vulnerable code path entirely with the trade-off of losing whatever REST API extension functionality the plugin provided. As compensating controls if removal is not immediately possible, restrict access to the plugin's REST API upload endpoints via a WAF rule (Patchstack, Wordfence, or equivalent), enforce PHP execution restrictions in wp-content/uploads via .htaccess or nginx location rules (side effect: may break legitimate plugins that rely on executable uploads), and monitor uploads directories for newly created .php, .phtml, or .phar files.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today