Automatic Translation CVE-2024-50493
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in masterhomepage Automatic Translation automatic-translation allows Upload a Web Shell to a Web Server.This issue affects Automatic Translation: from n/a through <= 1.0.4.
AnalysisAI
Unrestricted file upload in the masterhomepage Automatic Translation WordPress plugin (versions through 1.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The flaw carries a maximum CVSS 10.0 due to its network-reachable, no-interaction nature with scope change, and EPSS rates exploitation probability at 55.5% (98th percentile), indicating substantial likelihood of attack despite no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability resides in the Automatic Translation plugin by masterhomepage, a WordPress extension typically used to provide multilingual content translation. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin's upload handler fails to validate file extensions, MIME types, or content against an allowlist of safe types. This permits an attacker to write executable PHP files into a web-accessible directory, where the WordPress/PHP runtime will execute them on request. The CVSS scope change (S:C) reflects that compromise of the plugin context extends to the broader hosting environment and underlying web server.
Affected ProductsAI
The vulnerability affects the Automatic Translation WordPress plugin (slug: automatic-translation) by masterhomepage, in all versions from initial release through and including 1.0.4. No CPE string was provided in the source data, and no vendor advisory URL was included with this CVE record; the authoritative reference is the Patchstack disclosure that originated the report (audit@patchstack.com).
RemediationAI
No vendor-released patched version is confirmed in the available data - the affected range is bounded as <= 1.0.4 with no explicit fixed version cited. Administrators should immediately deactivate and remove the Automatic Translation plugin from WordPress installations until a vendor patch above 1.0.4 is published and verified; check the WordPress.org plugin directory and the Patchstack advisory database for the latest fix status. As compensating controls while the plugin is uninstalled, restrict upload directories (wp-content/uploads and any plugin-specific upload paths) from executing PHP via web server rules (e.g., an Apache .htaccess 'php_flag engine off' or nginx location block denying .php execution under uploads), and place a WAF rule blocking multipart uploads to plugin endpoints - note these controls can break legitimate media handling if scoped too broadly, so test before deployment. Monitor for newly-created PHP files in webroot directories and unexpected outbound connections from the web server as detection compensation.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today