What is the CVSS score of CVE-2024-51793?

CVE-2024-51793 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 45.0%.

Which versions of RepairBuddy are affected by CVE-2024-51793?

RepairBuddy WordPress plugin (versions ≤3.8115) contains a critical vulnerability allowing unauthenticated attackers to upload malicious files and gain full server control.

Is there a public PoC exploit available for CVE-2024-51793?

Yes, a public proof-of-concept exploit is available for CVE-2024-51793. Prioritise patching immediately. EPSS: 45.0%.

How to fix or mitigate CVE-2024-51793?

24 hours: Disable or uninstall RepairBuddy plugin (all versions up to 3.8115); conduct forensic scan of wp-content/uploads and file directories for webshells; review web server logs for unauthorized file uploads. 7 days: Implement Web Application Firewall (WAF) rules blocking file uploads to wp-content/uploads; remove execute permissions from upload directories (chmod 644 or equivalent). 30 days: Migrate to alternative actively-maintained WordPress repair-shop plugin; establish automated vendor security advisory monitoring process.

RepairBuddy CVE-2024-51793

CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2024-11-11 audit@patchstack.com

File Upload

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

CVSS changed

Apr 23, 2026 - 15:22 NVD

9.8 (CRITICAL) 10.0 (CRITICAL)

PoC Detected

Apr 01, 2026 - 16:19 vuln.today

Public exploit code

CVE Published

Nov 11, 2024 - 06:15 nvd

CRITICAL 9.8

DescriptionNVD

Unrestricted Upload of File with Dangerous Type vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Upload a Web Shell to a Web Server.This issue affects RepairBuddy: from n/a through <= 3.8115.

AnalysisAI

Unrestricted file upload in Ateeq Rafeeq's RepairBuddy (computer-repair-shop) WordPress plugin versions up to and including 3.8115 allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. Publicly available exploit code exists, and the EPSS score of 45.04% (98th percentile) indicates a high likelihood of exploitation activity. The maximum CVSS score of 10.0 reflects scope change and complete confidentiality, integrity, and availability impact.

Technical ContextAI

RepairBuddy is a WordPress plugin (CPE cpe:2.3:a:webfulcreations:computer_repair_shop) used by computer repair shops to manage repair tickets and customer interactions. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the plugin fails to validate file extensions, MIME types, or content of uploaded files. Because WordPress executes PHP files in the upload directory by default, an attacker can upload a .php web shell and request it via a browser, achieving arbitrary code execution within the WordPress process context.

RemediationAI

No vendor-released patch identified at time of analysis - the advisory lists all versions up to and including 3.8115 as affected with no fixed version specified, so administrators should consult the Patchstack advisory issued by audit@patchstack.com for any subsequent fix release. As immediate compensating controls, deactivate and remove the RepairBuddy plugin from affected WordPress sites (trade-off: loss of repair shop management functionality); if removal is not feasible, restrict access to the plugin's upload endpoints via web server rules or a WAF, and configure the web server (Apache/Nginx) to disable PHP execution within the WordPress uploads directory using directives such as a .htaccess deny of .php handlers (trade-off: may break other plugins that rely on dynamic content in uploads). Additionally audit the uploads directory and webroot for recently created PHP files indicative of prior compromise.

CVE-2024-51793 vulnerability details – vuln.today

Back

RepairBuddy CVE-2024-51793

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code