Arbitrary File Creation Vulnerability in Debug Tool Plugin
CVE-2024-10586

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Debug Tool
Vendor: CVE Published:; 9 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Debug Tool plugin for WordPress is susceptible to a vulnerability that permits arbitrary file creation due to an oversight in capability verification contained within the dbt_pull_image() function. Furthermore, the absence of file type validation in the plugin's functionality allows unauthenticated attackers to exploit this weakness. These weaknesses enable attackers to create unauthorized files, including those with .php extensions, which can result in the execution of remote code, posing a significant threat to affected WordPress installations.

Affected Version(s)

Debug Tool * <= 2.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10586
Created by RandomRobbieBF

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/debug-tool/tru...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 10, 2024
👾
Exploit known to exist
Nov 10, 2024
Vulnerability published
Nov 9, 2024
Vulnerability Reserved
Oct 31, 2024

Credit

Francesco Carlucci