Portfolleo CVE-2024-49653
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in james-eggers Portfolleo portfolleo allows Upload a Web Shell to a Web Server.This issue affects Portfolleo: from n/a through <= 1.2.
AnalysisAI
Arbitrary web shell upload in james-eggers Portfolleo WordPress plugin (versions through 1.2) allows authenticated remote attackers to upload dangerous file types and achieve remote code execution on the underlying web server. CVSS 9.9 with scope change indicates the compromise extends beyond the plugin context to the hosting environment. EPSS of 58.97% (98th percentile) signals elevated exploitation probability, though no public exploit was identified and KEV does not list this CVE.
Technical ContextAI
Portfolleo is a WordPress portfolio plugin authored by james-eggers. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), a classic file-upload validation failure where the plugin does not properly restrict file extensions, MIME types, or content of uploaded files. In WordPress plugins this commonly manifests as missing server-side allowlisting on AJAX upload handlers or admin-post endpoints, enabling PHP files to be written into a web-accessible directory under wp-content/uploads or the plugin folder and executed by the PHP interpreter.
Affected ProductsAI
james-eggers Portfolleo (WordPress plugin) in all versions from initial release through and including 1.2 are affected. The advisory was issued by Patchstack (audit@patchstack.com); no CPE strings were provided in the source intelligence, and no vendor advisory URL was included in the reference data supplied.
RemediationAI
No vendor-released patch identified at time of analysis - versions up to and including 1.2 are listed as vulnerable with no fixed version provided in the source intelligence. As compensating controls, deactivate and remove the Portfolleo plugin until a fixed release is published by james-eggers (trade-off: loss of portfolio functionality); if removal is not acceptable, restrict upload endpoints to trusted administrators via WordPress role hardening and disable open user registration to neutralize the PR:L prerequisite; block PHP execution within wp-content/uploads using webserver rules (Apache .htaccess or nginx location blocks denying .php handling), accepting that this may break other plugins that rely on dynamic upload-directory scripts; place a WAF in front of WordPress with rules to block multipart uploads containing PHP shebangs or .php/.phtml/.phar extensions, monitoring for false positives on legitimate media workflows. Monitor the Patchstack advisory feed for the eventual fixed version.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today