Skip to main content

WP SuperBackup CVE-2024-56064

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-12-31 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:42 NVD
10.0 (CRITICAL)
CVE Published
Dec 31, 2024 - 13:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Upload a Web Shell to a Web Server.This issue affects WP SuperBackup: from n/a through <= 2.3.3.

AnalysisAI

Unrestricted file upload in azzaroco's WP SuperBackup WordPress plugin (versions through 2.3.3) enables remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The maximum CVSS score of 10.0 combined with an EPSS score of 55.52% (98th percentile) indicates very high exploitation probability, though no public exploit was identified at time of analysis and the issue is not yet listed in CISA KEV.

Technical ContextAI

WP SuperBackup is a WordPress backup plugin (slug: indeed-wp-superbackup) developed by azzaroco, distributed via the WordPress ecosystem. The vulnerability falls under CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw where an application accepts file uploads without adequately validating file type, extension, or content, allowing executable scripts (PHP web shells in WordPress contexts) to be written into web-accessible directories. Because WordPress executes PHP files under the web server user, a successful upload of a .php payload into a reachable plugin directory results in arbitrary code execution within the WordPress process context.

Affected ProductsAI

WP SuperBackup WordPress plugin (plugin slug: indeed-wp-superbackup) by author azzaroco, all versions from unspecified initial release through and including 2.3.3. No CPE entries were provided in the input data and no vendor advisory URL was supplied beyond the Patchstack reporter attribution (audit@patchstack.com), so confirmation of the affected version range relies on the NVD description text.

RemediationAI

No vendor-released patch version is identified in the available data - the description states the issue affects WP SuperBackup 'through <= 2.3.3' without naming a fixed release, so administrators should consult Patchstack and the WordPress.org plugin page for an update beyond 2.3.3 and apply it immediately once published. Until a fixed version is confirmed, the most reliable compensating control is to deactivate and remove the indeed-wp-superbackup plugin from affected WordPress installations, accepting the trade-off of losing the backup functionality and needing to switch to an alternative backup solution. Additional mitigations include blocking write access to plugin upload endpoints via a WAF rule that rejects requests with .php (and other executable) Content-Type or filename extensions in upload parameters, and restricting filesystem-level execute permissions on wp-content/uploads and any plugin-controlled upload directory; the latter can break legitimate plugin functionality that relies on executing helper scripts. Monitor wp-content directories for newly created PHP files as a detective control.

Share

CVE-2024-56064 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy