Arbitrary File Upload Vulnerability in SMTP Plugin by BestWebSoft for WordPress
CVE-2024-13908

7.2HIGH

Key Information:

Vendor: WordPress
Status: Smtp By Bestwebsoft
Vendor: CVE Published:; 8 March 2025

What is CVE-2024-13908?

The SMTP by BestWebSoft plugin for WordPress contains a vulnerability that allows authenticated users with administrative privileges to upload arbitrary files due to a lack of file type validation in the 'save_options' function. This security flaw affects all versions up to and including 1.1.9, which could potentially lead to remote code execution on the server hosting the affected website.

Affected Version(s)

SMTP by BestWebSoft * <= 1.1.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bws-smtp/tags/...

https://plugins.trac.wordpress.org/changeset/3250935/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 8, 2025
Vulnerability Reserved
Feb 24, 2025

Credit

Hoang Phuc Vo