Skip to main content

Multi Purpose Mail Form CVE-2024-50526

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-11-04 audit@patchstack.com
File Upload
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL) 10.0 (CRITICAL)
PoC Detected
Apr 01, 2026 - 16:19 vuln.today
Public exploit code
CVE Published
Nov 04, 2024 - 14:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Lindeni Mahlalela Multi Purpose Mail Form multi-purpose-mail-form allows Upload a Web Shell to a Web Server.This issue affects Multi Purpose Mail Form: from n/a through <= 1.0.2.

AnalysisAI

Unrestricted file upload in the Multi Purpose Mail Form WordPress plugin (versions through 1.0.2) by Lindeni Mahlalela allows unauthenticated remote attackers to upload arbitrary files including web shells, yielding full server compromise. CVSS is 10.0 with scope change, and publicly available exploit code exists; EPSS sits at 1.14% (78th percentile), indicating moderate but not yet widespread automated exploitation interest.

Technical ContextAI

The affected component is a WordPress plugin (CPE cpe:2.3:a:lindeni:multi_purpose_mail_form) that exposes form-handling endpoints accepting file attachments. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type) - the upload handler fails to validate MIME type, extension, or content of uploaded files before placing them within the web-accessible directory tree, which on WordPress means files dropped into wp-content can be executed by the PHP interpreter. Because WordPress plugins inherit the executing user's privileges (typically www-data) and operate within the same PHP runtime as the CMS, a web shell uploaded through such a plugin grants attacker code execution in the WordPress site context.

RemediationAI

No vendor-released patched version is identified in the available data - the affected range is documented as 'n/a through <= 1.0.2' with no fixed version supplied. Until the maintainer publishes a fixed release, deactivate and remove the Multi Purpose Mail Form plugin from any WordPress instance where it is installed; this is the most reliable mitigation given that the plugin's core mail-form functionality is the affected attack surface. As compensating controls if removal is not immediately possible, restrict access to the plugin's upload endpoints via a WAF rule (Patchstack and Wordfence both publish virtual patches for plugin CVEs), block POST requests with PHP/phtml/phar/htaccess content types to wp-content/uploads paths, and disable PHP execution within the uploads directory via .htaccess or web server configuration - note this last control can break legitimate plugins that rely on dynamic content in uploads. Monitor the Patchstack advisory page for this CVE for an official fix announcement.

Share

CVE-2024-50526 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy