WP Dropbox Dropins CVE-2024-49607
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in redhopit WP Dropbox Dropins wp-dropbox-dropins allows Upload a Web Shell to a Web Server.This issue affects WP Dropbox Dropins: from n/a through <= 1.0.
AnalysisAI
Unrestricted file upload in the redhopit WP Dropbox Dropins WordPress plugin (versions through 1.0) allows remote unauthenticated attackers to upload arbitrary files, including web shells, leading to full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and an EPSS score of 23.46% (96th percentile) signals elevated likelihood of exploitation, though no public exploit is identified at time of analysis and the issue is not on the CISA KEV list.
Technical ContextAI
WP Dropbox Dropins is a WordPress plugin by redhopit (CPE vendor: redwanhilali) that integrates Dropbox-style upload behavior into WordPress sites. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type): the plugin accepts file uploads without sufficiently validating extensions, MIME types, or content, so an attacker can submit a PHP or other executable script. Because WordPress serves files from the uploads directory under the web root, an uploaded script becomes a directly callable web shell executed by the PHP interpreter, giving the attacker code execution in the context of the web server process.
RemediationAI
No vendor-released patch identified at time of analysis - version 1.0 is the latest published release and the advisory marks the affected range as up to and including 1.0 with no fix version listed. The most reliable mitigation is to deactivate and remove the WP Dropbox Dropins plugin from WordPress until the maintainer publishes a fixed release, accepting loss of the Dropbox upload integration as the trade-off. As compensating controls, restrict access to the plugin's upload endpoint with a WAF rule or .htaccess Require ip directive, deny execution of PHP within wp-content/uploads via a web-server-level rule (LocationMatch in Apache or a location block in nginx denying \.php$), and consider a virtual patch via Patchstack/Wordfence; note that blocking PHP execution in uploads can break other plugins that legitimately execute helper scripts there. Monitor the Patchstack advisory at https://patchstack.com/database/vulnerability/wp-dropbox-dropins for an updated fixed version.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today