Skip to main content

aDirectory CVE-2024-50420

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-29 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
10.0 (CRITICAL)
CVE Published
Oct 29, 2024 - 09:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in aDirectory aDirectory adirectory allows Upload a Web Shell to a Web Server.This issue affects aDirectory: from n/a through <= 1.3.

AnalysisAI

Unauthenticated remote code execution in aDirectory plugin versions up to and including 1.3 allows attackers to upload arbitrary files (web shells) to the web server with no authentication or user interaction required. The CVSS 10.0 score with scope-changed impact indicates full compromise potential, and while no public exploit is identified at time of analysis, the EPSS score of 1.67% (82nd percentile) signals elevated exploitation interest relative to the broader CVE population.

Technical ContextAI

aDirectory is a directory/listing plugin (commonly a WordPress plugin given the Patchstack reporting source) that includes file upload functionality. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the upload handler fails to validate or restrict the MIME type, extension, or content of uploaded files. This permits an attacker to upload executable server-side scripts (PHP web shells) into a web-accessible directory, where the web server will then execute them on request, granting code execution in the context of the web server process.

Affected ProductsAI

aDirectory plugin from the vendor aDirectory, all versions from unspecified initial release through and including version 1.3 are affected. The advisory was coordinated through Patchstack (audit@patchstack.com), which typically tracks WordPress ecosystem plugins, suggesting this is the aDirectory WordPress plugin; consult the Patchstack advisory database for the canonical vendor reference and any plugin slug/CPE confirmation.

RemediationAI

No vendor-released patch identified at time of analysis - the affected range extends through the latest version 1.3 with no fixed version disclosed in the provided data, so administrators should monitor the Patchstack advisory and the aDirectory vendor channel for an updated release beyond 1.3. As compensating controls until a patch ships, deactivate and remove the aDirectory plugin entirely (the safest option, with the trade-off of losing directory functionality), or restrict access to the plugin's upload endpoint via web server ACLs or a WAF rule blocking POST requests with executable extensions (.php, .phtml, .phar) to the plugin's upload paths (trade-off: may break legitimate uploads if the plugin's workflow depends on the same endpoint). Additionally, set the uploads directory to deny PHP execution at the web server level (e.g., an .htaccess deny rule or nginx location block) to neutralize uploaded web shells even if upload succeeds.

Share

CVE-2024-50420 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy