Unrestricted Upload of File with Dangerous Type Vulnerability Allows Web Shell Upload to Web Server
CVE-2024-37424

9.9CRITICAL

Key Information:

Vendor: WordPress
Status: Newspack Blocks
Vendor: CVE Published:; 9 July 2024

What is CVE-2024-37424?

A vulnerability affecting Automattic's Newspack Blocks allows for the unrestricted upload of files with dangerous types, potentially enabling attackers to upload a web shell to the server. This issue compromises the server's security and can lead to unauthorized access, data breaches, and further exploitation of the vulnerable site. The affected versions include those prior to 3.0.8, which underscores the necessity for WordPress users to ensure they are running the latest, patched version.

Affected Version(s)

Newspack Blocks <= 3.0.8

References

https://patchstack.com/database/vulnerability/newspack-bl...

vdb-entry

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2024

Credit

Rafie Muhammad (Patchstack)