Picsmize CVE-2024-52380
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in softpulseinfotech Picsmize picsmize allows Upload a Web Shell to a Web Server.This issue affects Picsmize: from n/a through <= 1.0.0.
AnalysisAI
Unrestricted file upload in softpulseinfotech Picsmize plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. CVSS 10.0 with a scope-changed vector reflects the severity, and the EPSS score of 54.26% (98th percentile) indicates elevated likelihood of exploitation attempts, though no public exploit identified at time of analysis.
Technical ContextAI
Picsmize is a WordPress plugin developed by softpulseinfotech, identified through the Patchstack audit program which specializes in WordPress ecosystem vulnerabilities. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the plugin fails to validate file extensions, MIME types, or content before accepting uploaded files. This class of flaw typically arises when upload handlers trust client-supplied filename or Content-Type fields and write files into web-accessible directories, allowing PHP or other executable content to be served by the web server.
Affected ProductsAI
softpulseinfotech Picsmize WordPress plugin, all versions from initial release through 1.0.0 inclusive, as reported via the Patchstack audit (audit@patchstack.com). The upper bound 'n/a through <= 1.0.0' from the advisory suggests no fixed version was identified at disclosure; CPE strings were not provided in the available data.
RemediationAI
No vendor-released patch identified at time of analysis - version 1.0.0 is the latest known release and remains vulnerable. The most reliable mitigation is to deactivate and uninstall the Picsmize plugin until softpulseinfotech ships a fixed version, accepting the loss of any image-processing functionality it provides. As compensating controls, restrict access to the plugin's upload endpoints via WordPress's .htaccess or web server rules to block direct POSTs from untrusted networks, disable PHP execution in wp-content/uploads (or wherever the plugin writes files) using a Files directive to prevent uploaded shells from running, and monitor the Patchstack advisory page for an eventual fix release.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today