Plugin Propagator CVE-2024-50495
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in nunomorgadinho Plugin Propagator wp-propagator allows Upload a Web Shell to a Web Server.This issue affects Plugin Propagator: from n/a through <= 0.1.
AnalysisAI
Unrestricted file upload in the Plugin Propagator WordPress plugin (versions up to and including 0.1) by nunomorgadinho allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the web server. With a CVSS of 10.0 and a changed scope, successful exploitation results in full compromise of the underlying WordPress site and potentially adjacent systems. No public exploit identified at time of analysis, though the 1.31% EPSS score (80th percentile) indicates above-average attacker interest relative to the broader CVE population.
Technical ContextAI
The affected component is the Plugin Propagator WordPress plugin (CPE: cpe:2.3:a:widgilabs:plugin_propagator), a third-party extension intended to propagate plugin configurations across WordPress sites. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the upload handler does not enforce a server-side allowlist on file type, extension, or MIME content before writing the file to a web-accessible directory. In WordPress plugins, this class of flaw typically arises when an AJAX action, REST endpoint, or admin-post hook accepts a $_FILES payload and writes it under wp-content/uploads (or a custom path) without validating extension against PHP-executable types, allowing attacker-controlled PHP to be served by the webserver.
RemediationAI
No vendor-released patch identified at time of analysis - the advisory describes the affected range as 'through <= 0.1' with no fixed version stated, suggesting the plugin may be unmaintained. The recommended action is to immediately deactivate and remove the Plugin Propagator plugin from any WordPress site where it is installed, since the trade-off (loss of plugin-propagation functionality) is negligible compared to the risk of full server compromise. As compensating controls until removal, restrict access to /wp-content/plugins/wp-propagator/ at the webserver level (e.g., an Nginx location block or Apache <Directory> deny rule), block POST requests to that path via a WAF rule, and audit /wp-content/uploads/ for unexpected .php, .phtml, or .phar files that may indicate prior exploitation. Consult the Patchstack advisory referenced by audit@patchstack.com for any subsequent fix release.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today