Arbitrary File Inclusion Vulnerability in Penci Soledad Data Migrator plugin for WordPress
CVE-2024-3551

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Penci Soledad Data Migrator
Vendor: CVE Published:; 17 May 2024

What is CVE-2024-3551?

The Penci Soledad Data Migrator plugin for WordPress is affected by a Local File Inclusion vulnerability that stems from the improper handling of the 'data' parameter. This flaw allows unauthenticated attackers to include and execute arbitrary files on the server, creating opportunities for executing any PHP code present in those files. The vulnerability poses serious risks, such as the ability to bypass access controls and potentially access sensitive data. Attackers could exploit this vulnerability through the manipulation of uploads to capture file paths, thus facilitating unauthorized code execution limited to PHP files.

Affected Version(s)

Penci Soledad Data Migrator 0 <= 1.3.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/soledad-multiconcept-blogmag...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 17, 2024

CVE-2024-3551 Data

JSON