Skip to main content

Automatic Translation CVE-2024-50493

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-29 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
10.0 (CRITICAL)
CVE Published
Oct 29, 2024 - 08:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in masterhomepage Automatic Translation automatic-translation allows Upload a Web Shell to a Web Server.This issue affects Automatic Translation: from n/a through <= 1.0.4.

AnalysisAI

Unrestricted file upload in the masterhomepage Automatic Translation WordPress plugin (versions through 1.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The flaw carries a maximum CVSS 10.0 due to its network-reachable, no-interaction nature with scope change, and EPSS rates exploitation probability at 55.5% (98th percentile), indicating substantial likelihood of attack despite no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Automatic Translation plugin by masterhomepage, a WordPress extension typically used to provide multilingual content translation. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin's upload handler fails to validate file extensions, MIME types, or content against an allowlist of safe types. This permits an attacker to write executable PHP files into a web-accessible directory, where the WordPress/PHP runtime will execute them on request. The CVSS scope change (S:C) reflects that compromise of the plugin context extends to the broader hosting environment and underlying web server.

Affected ProductsAI

The vulnerability affects the Automatic Translation WordPress plugin (slug: automatic-translation) by masterhomepage, in all versions from initial release through and including 1.0.4. No CPE string was provided in the source data, and no vendor advisory URL was included with this CVE record; the authoritative reference is the Patchstack disclosure that originated the report (audit@patchstack.com).

RemediationAI

No vendor-released patched version is confirmed in the available data - the affected range is bounded as <= 1.0.4 with no explicit fixed version cited. Administrators should immediately deactivate and remove the Automatic Translation plugin from WordPress installations until a vendor patch above 1.0.4 is published and verified; check the WordPress.org plugin directory and the Patchstack advisory database for the latest fix status. As compensating controls while the plugin is uninstalled, restrict upload directories (wp-content/uploads and any plugin-specific upload paths) from executing PHP via web server rules (e.g., an Apache .htaccess 'php_flag engine off' or nginx location block denying .php execution under uploads), and place a WAF rule blocking multipart uploads to plugin endpoints - note these controls can break legitimate media handling if scoped too broadly, so test before deployment. Monitor for newly-created PHP files in webroot directories and unexpected outbound connections from the web server as detection compensation.

Share

CVE-2024-50493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy