Skip to main content

WP Quick Setup CVE-2024-52429

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-11-18 audit@patchstack.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Severity Changed
Apr 23, 2026 - 15:22 NVD
HIGH CRITICAL
CVSS changed
Apr 23, 2026 - 15:22 NVD
8.8 (HIGH) 9.9 (CRITICAL)
CVE Published
Nov 18, 2024 - 15:15 nvd
HIGH 8.8

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in AntonHoelstad WP Quick Setup wp-quick-setup allows Upload a Web Shell to a Web Server.This issue affects WP Quick Setup: from n/a through <= 2.0.

AnalysisAI

Web shell upload via the AntonHoelstad WP Quick Setup WordPress plugin (versions up to and including 2.0) allows authenticated remote attackers to upload files of dangerous types and achieve code execution on the underlying web server. EPSS rates exploitation probability at 34.73% (97th percentile), and no public exploit identified at time of analysis, though the CWE-434 pattern and low attacker requirements make this a high-priority issue for WordPress operators running the plugin.

Technical ContextAI

The flaw lives in the WP Quick Setup plugin for WordPress (CPE cpe:2.3:a:antonhoelstad:wp_quick_setup), a setup/configuration helper plugin. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin's file upload handler fails to enforce a server-side allowlist on file extensions or MIME types before writing user-supplied files into a web-accessible directory. Because WordPress serves uploaded PHP from within document root by default, an attacker who reaches the upload endpoint can write a .php web shell and have it interpreted by the PHP-FPM/Apache mod_php handler, yielding interactive code execution as the web server user.

RemediationAI

No vendor-released patch identified at time of analysis - the advisory description lists the fixed version as n/a, meaning the plugin author has not published a corrected release as of the disclosure. Site operators should immediately deactivate and uninstall the WP Quick Setup plugin from all affected WordPress installations, as this is the only reliable mitigation in the absence of a fix; the trade-off is loss of whatever setup-automation functionality the plugin provided, which is typically a one-time-use feature and rarely needed in production. As compensating controls until removal, restrict access to wp-admin and the plugin's upload endpoint via .htaccess/nginx IP allowlist, disable PHP execution within wp-content/uploads using a deny rule on .php files, and audit the uploads directory for suspicious recently-modified PHP files. Monitor the Patchstack advisory page for any later-published patched version.

Share

CVE-2024-52429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy