Skip to main content

WP Dropbox Dropins CVE-2024-49607

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-20 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL) 10.0 (CRITICAL)
CVE Published
Oct 20, 2024 - 09:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in redhopit WP Dropbox Dropins wp-dropbox-dropins allows Upload a Web Shell to a Web Server.This issue affects WP Dropbox Dropins: from n/a through <= 1.0.

AnalysisAI

Unrestricted file upload in the redhopit WP Dropbox Dropins WordPress plugin (versions through 1.0) allows remote unauthenticated attackers to upload arbitrary files, including web shells, leading to full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and an EPSS score of 23.46% (96th percentile) signals elevated likelihood of exploitation, though no public exploit is identified at time of analysis and the issue is not on the CISA KEV list.

Technical ContextAI

WP Dropbox Dropins is a WordPress plugin by redhopit (CPE vendor: redwanhilali) that integrates Dropbox-style upload behavior into WordPress sites. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type): the plugin accepts file uploads without sufficiently validating extensions, MIME types, or content, so an attacker can submit a PHP or other executable script. Because WordPress serves files from the uploads directory under the web root, an uploaded script becomes a directly callable web shell executed by the PHP interpreter, giving the attacker code execution in the context of the web server process.

RemediationAI

No vendor-released patch identified at time of analysis - version 1.0 is the latest published release and the advisory marks the affected range as up to and including 1.0 with no fix version listed. The most reliable mitigation is to deactivate and remove the WP Dropbox Dropins plugin from WordPress until the maintainer publishes a fixed release, accepting loss of the Dropbox upload integration as the trade-off. As compensating controls, restrict access to the plugin's upload endpoint with a WAF rule or .htaccess Require ip directive, deny execution of PHP within wp-content/uploads via a web-server-level rule (LocationMatch in Apache or a location block in nginx denying \.php$), and consider a virtual patch via Patchstack/Wordfence; note that blocking PHP execution in uploads can break other plugins that legitimately execute helper scripts there. Monitor the Patchstack advisory at https://patchstack.com/database/vulnerability/wp-dropbox-dropins for an updated fixed version.

Share

CVE-2024-49607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy