Skip to main content

Datasets Manager by Arttia Creative CVE-2024-52375

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-11-14 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
10.0 (CRITICAL)
CVE Published
Nov 14, 2024 - 18:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Arttia Creative Datasets Manager by Arttia Creative datasets-manager-by-arttia-creative.This issue affects Datasets Manager by Arttia Creative: from n/a through <= 1.5.

AnalysisAI

Unrestricted file upload in the Datasets Manager by Arttia Creative WordPress plugin (versions up to and including 1.5) allows remote unauthenticated attackers to upload arbitrary files of dangerous types, leading to full server compromise via webshell execution. With a maximum CVSS score of 10.0, scope-changed impact, and an EPSS score of 54.56% in the 98th percentile, this represents a critical, high-probability exploitation target. No public exploit identified at time of analysis, but the attack surface and ease of weaponization make this an urgent priority.

Technical ContextAI

The vulnerability stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaws where an application accepts user-supplied files without validating extension, MIME type, or content. The affected component is the Datasets Manager by Arttia Creative WordPress plugin (slug: datasets-manager-by-arttia-creative), which provides dataset management functionality for WordPress sites. In typical WordPress plugin file-upload flaws of this class, missing capability checks, nonce verification, or extension filtering allows attackers to drop PHP files into web-accessible directories under wp-content/uploads, where they can be executed by the PHP interpreter. The Patchstack reporter tag confirms this was discovered through their WordPress security audit program.

Affected ProductsAI

The Datasets Manager by Arttia Creative WordPress plugin (slug: datasets-manager-by-arttia-creative) is affected in all versions from n/a through and including 1.5. No CPE strings were provided in the source intelligence. The advisory originates from Patchstack (audit@patchstack.com); their advisory database at patchstack.com should be consulted for vendor-confirmed affected version ranges and any fixed-version disclosure.

RemediationAI

No vendor-released patch identified at time of analysis - version 1.5 is the last known version and the advisory indicates all versions are affected with no upper-bound fixed release. Site operators should immediately deactivate and remove the Datasets Manager by Arttia Creative plugin until the vendor publishes a patched release; consult the Patchstack advisory database for the most current fix-status updates. As compensating controls while the plugin remains installed, restrict access to the plugin's upload endpoints via web server rules (block or authenticate requests to wp-admin/admin-ajax.php and admin-post.php actions registered by the plugin), disable PHP execution within wp-content/uploads using an .htaccess deny rule or nginx location block (side effect: breaks plugins that legitimately serve dynamic content from uploads), and place the site behind a WAF with file-upload signature enforcement. Audit existing wp-content/uploads for unexpected PHP, .phtml, .phar, or double-extension files which would indicate prior compromise.

Share

CVE-2024-52375 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy