RSVPMaker for Toastmasters CVE-2024-50531
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in davidfcarr RSVPMaker for Toastmasters rsvpmaker-for-toastmasters allows Upload a Web Shell to a Web Server.This issue affects RSVPMaker for Toastmasters: from n/a through <= 6.2.4.
AnalysisAI
Unrestricted file upload in the RSVPMaker for Toastmasters WordPress plugin (versions through 6.2.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects scope change with complete confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and EPSS remains modest at 0.89% (75th percentile).
Technical ContextAI
The vulnerability resides in the RSVPMaker for Toastmasters plugin by davidfcarr (Carr Communications), a WordPress add-on that extends the core RSVPMaker plugin for Toastmasters club event management. CWE-434 (Unrestricted Upload of File with Dangerous Type) indicates the plugin's file upload handler fails to validate file extensions, MIME types, or content against an allowlist, permitting executable PHP files to be written into a web-accessible directory. The CPE string cpe:2.3:a:carrcommunications:rsvpmaker:*:*:*:*:*:wordpress:*:* confirms this is a WordPress plugin running in the PHP execution context of the host site.
RemediationAI
No vendor-released patch identified at time of analysis - the advisory specifies the affected range as 'n/a through <= 6.2.4' without naming a fixed version, so administrators should monitor the WordPress plugin repository and the Patchstack advisory (audit@patchstack.com) for a 6.2.5 or later release and upgrade immediately when available. As immediate compensating controls, deactivate and remove the RSVPMaker for Toastmasters plugin until a patched version ships (trade-off: Toastmasters event RSVP functionality will be unavailable), or place a WAF rule blocking POST requests to the plugin's upload endpoints with executable file extensions such as .php, .phtml, .phar, .php5, and .htaccess. As deeper hardening, restrict the WordPress uploads directory from executing PHP via web server configuration (e.g., an Apache .htaccess php_flag engine off or an nginx location block denying .php execution under wp-content/uploads), which limits impact even if the upload primitive is reached.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today