Skip to main content

Verbalize WP CVE-2024-49668

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-23 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
10.0 (CRITICAL)
CVE Published
Oct 23, 2024 - 16:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in christopherdewese1099 Verbalize WP verbalize-wp allows Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through <= 1.0.

AnalysisAI

Remote code execution in the Verbalize WP WordPress plugin (versions through 1.0) allows unauthenticated attackers to upload arbitrary files, including web shells, to the target web server. With a maximum CVSS score of 10.0 and an EPSS probability of 58.95% (98th percentile), this represents a critical, easily exploitable flaw, though no public exploit was identified at time of analysis and the CVE is not currently listed in CISA KEV.

Technical ContextAI

The vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw where a web application accepts user-supplied files without adequately validating or restricting file type, extension, or content. Verbalize WP is a third-party WordPress plugin by author christopherdewese1099, and like many WordPress plugins, it likely exposes an admin-ajax.php or REST endpoint that performs file handling. Because PHP files dropped into the WordPress webroot are executed by the server, an unrestricted upload becomes a direct path to remote code execution in the context of the web server user (typically www-data or apache).

Affected ProductsAI

Verbalize WP WordPress plugin by christopherdewese1099, all versions from n/a through and including 1.0. No CPE string was provided in the input data, and no vendor advisory URL was included in the references - coordination was performed via Patchstack (audit@patchstack.com), whose advisory database is the authoritative public reference for this issue.

RemediationAI

No vendor-released patched version was identified at time of analysis; the affected range extends through 1.0 with no fixed version specified, so administrators should immediately deactivate and uninstall the Verbalize WP plugin until a vendor fix is published on the WordPress.org plugin repository or via Patchstack. Compensating controls if removal is not immediately possible include restricting access to /wp-admin and the plugin's upload endpoint via web server ACLs or a WAF (trade-off: may break legitimate plugin functionality and admin workflows), enforcing filesystem-level execution restrictions in wp-content/uploads via .htaccess or nginx location blocks to prevent PHP execution (trade-off: may interfere with other plugins that legitimately rely on dynamic file generation), and monitoring for newly written .php files under the WordPress document root. Consult the Patchstack advisory database for any subsequent fix announcements.

Share

CVE-2024-49668 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy