Skip to main content

Plugin Propagator CVE-2024-50495

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-28 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL) 10.0 (CRITICAL)
CVE Published
Oct 28, 2024 - 21:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in nunomorgadinho Plugin Propagator wp-propagator allows Upload a Web Shell to a Web Server.This issue affects Plugin Propagator: from n/a through <= 0.1.

AnalysisAI

Unrestricted file upload in the Plugin Propagator WordPress plugin (versions up to and including 0.1) by nunomorgadinho allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the web server. With a CVSS of 10.0 and a changed scope, successful exploitation results in full compromise of the underlying WordPress site and potentially adjacent systems. No public exploit identified at time of analysis, though the 1.31% EPSS score (80th percentile) indicates above-average attacker interest relative to the broader CVE population.

Technical ContextAI

The affected component is the Plugin Propagator WordPress plugin (CPE: cpe:2.3:a:widgilabs:plugin_propagator), a third-party extension intended to propagate plugin configurations across WordPress sites. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the upload handler does not enforce a server-side allowlist on file type, extension, or MIME content before writing the file to a web-accessible directory. In WordPress plugins, this class of flaw typically arises when an AJAX action, REST endpoint, or admin-post hook accepts a $_FILES payload and writes it under wp-content/uploads (or a custom path) without validating extension against PHP-executable types, allowing attacker-controlled PHP to be served by the webserver.

RemediationAI

No vendor-released patch identified at time of analysis - the advisory describes the affected range as 'through <= 0.1' with no fixed version stated, suggesting the plugin may be unmaintained. The recommended action is to immediately deactivate and remove the Plugin Propagator plugin from any WordPress site where it is installed, since the trade-off (loss of plugin-propagation functionality) is negligible compared to the risk of full server compromise. As compensating controls until removal, restrict access to /wp-content/plugins/wp-propagator/ at the webserver level (e.g., an Nginx location block or Apache <Directory> deny rule), block POST requests to that path via a WAF rule, and audit /wp-content/uploads/ for unexpected .php, .phtml, or .phar files that may indicate prior exploitation. Consult the Patchstack advisory referenced by audit@patchstack.com for any subsequent fix release.

Share

CVE-2024-50495 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy