Verbalize WP CVE-2024-49668
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in christopherdewese1099 Verbalize WP verbalize-wp allows Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through <= 1.0.
AnalysisAI
Remote code execution in the Verbalize WP WordPress plugin (versions through 1.0) allows unauthenticated attackers to upload arbitrary files, including web shells, to the target web server. With a maximum CVSS score of 10.0 and an EPSS probability of 58.95% (98th percentile), this represents a critical, easily exploitable flaw, though no public exploit was identified at time of analysis and the CVE is not currently listed in CISA KEV.
Technical ContextAI
The vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw where a web application accepts user-supplied files without adequately validating or restricting file type, extension, or content. Verbalize WP is a third-party WordPress plugin by author christopherdewese1099, and like many WordPress plugins, it likely exposes an admin-ajax.php or REST endpoint that performs file handling. Because PHP files dropped into the WordPress webroot are executed by the server, an unrestricted upload becomes a direct path to remote code execution in the context of the web server user (typically www-data or apache).
Affected ProductsAI
Verbalize WP WordPress plugin by christopherdewese1099, all versions from n/a through and including 1.0. No CPE string was provided in the input data, and no vendor advisory URL was included in the references - coordination was performed via Patchstack (audit@patchstack.com), whose advisory database is the authoritative public reference for this issue.
RemediationAI
No vendor-released patched version was identified at time of analysis; the affected range extends through 1.0 with no fixed version specified, so administrators should immediately deactivate and uninstall the Verbalize WP plugin until a vendor fix is published on the WordPress.org plugin repository or via Patchstack. Compensating controls if removal is not immediately possible include restricting access to /wp-admin and the plugin's upload endpoint via web server ACLs or a WAF (trade-off: may break legitimate plugin functionality and admin workflows), enforcing filesystem-level execution restrictions in wp-content/uploads via .htaccess or nginx location blocks to prevent PHP execution (trade-off: may interfere with other plugins that legitimately rely on dynamic file generation), and monitoring for newly written .php files under the WordPress document root. Consult the Patchstack advisory database for any subsequent fix announcements.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today