WP Quick Setup CVE-2024-52429
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in AntonHoelstad WP Quick Setup wp-quick-setup allows Upload a Web Shell to a Web Server.This issue affects WP Quick Setup: from n/a through <= 2.0.
AnalysisAI
Web shell upload via the AntonHoelstad WP Quick Setup WordPress plugin (versions up to and including 2.0) allows authenticated remote attackers to upload files of dangerous types and achieve code execution on the underlying web server. EPSS rates exploitation probability at 34.73% (97th percentile), and no public exploit identified at time of analysis, though the CWE-434 pattern and low attacker requirements make this a high-priority issue for WordPress operators running the plugin.
Technical ContextAI
The flaw lives in the WP Quick Setup plugin for WordPress (CPE cpe:2.3:a:antonhoelstad:wp_quick_setup), a setup/configuration helper plugin. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin's file upload handler fails to enforce a server-side allowlist on file extensions or MIME types before writing user-supplied files into a web-accessible directory. Because WordPress serves uploaded PHP from within document root by default, an attacker who reaches the upload endpoint can write a .php web shell and have it interpreted by the PHP-FPM/Apache mod_php handler, yielding interactive code execution as the web server user.
RemediationAI
No vendor-released patch identified at time of analysis - the advisory description lists the fixed version as n/a, meaning the plugin author has not published a corrected release as of the disclosure. Site operators should immediately deactivate and uninstall the WP Quick Setup plugin from all affected WordPress installations, as this is the only reliable mitigation in the absence of a fix; the trade-off is loss of whatever setup-automation functionality the plugin provided, which is typically a one-time-use feature and rarely needed in production. As compensating controls until removal, restrict access to wp-admin and the plugin's upload endpoint via .htaccess/nginx IP allowlist, disable PHP execution within wp-content/uploads using a deny rule on .php files, and audit the uploads directory for suspicious recently-modified PHP files. Monitor the Patchstack advisory page for any later-published patched version.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today