Skip to main content

Picsmize CVE-2024-52380

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-11-14 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
10.0 (CRITICAL)
CVE Published
Nov 14, 2024 - 18:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in softpulseinfotech Picsmize picsmize allows Upload a Web Shell to a Web Server.This issue affects Picsmize: from n/a through <= 1.0.0.

AnalysisAI

Unrestricted file upload in softpulseinfotech Picsmize plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. CVSS 10.0 with a scope-changed vector reflects the severity, and the EPSS score of 54.26% (98th percentile) indicates elevated likelihood of exploitation attempts, though no public exploit identified at time of analysis.

Technical ContextAI

Picsmize is a WordPress plugin developed by softpulseinfotech, identified through the Patchstack audit program which specializes in WordPress ecosystem vulnerabilities. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the plugin fails to validate file extensions, MIME types, or content before accepting uploaded files. This class of flaw typically arises when upload handlers trust client-supplied filename or Content-Type fields and write files into web-accessible directories, allowing PHP or other executable content to be served by the web server.

Affected ProductsAI

softpulseinfotech Picsmize WordPress plugin, all versions from initial release through 1.0.0 inclusive, as reported via the Patchstack audit (audit@patchstack.com). The upper bound 'n/a through <= 1.0.0' from the advisory suggests no fixed version was identified at disclosure; CPE strings were not provided in the available data.

RemediationAI

No vendor-released patch identified at time of analysis - version 1.0.0 is the latest known release and remains vulnerable. The most reliable mitigation is to deactivate and uninstall the Picsmize plugin until softpulseinfotech ships a fixed version, accepting the loss of any image-processing functionality it provides. As compensating controls, restrict access to the plugin's upload endpoints via WordPress's .htaccess or web server rules to block direct POSTs from untrusted networks, disable PHP execution in wp-content/uploads (or wherever the plugin writes files) using a Files directive to prevent uploaded shells from running, and monitor the Patchstack advisory page for an eventual fix release.

Share

CVE-2024-52380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy