Vulnerability Allows Authenticated Attackers to Execute Arbitrary PHP Code on Server
CVE-2024-5456

8.8HIGH

Key Information:

Vendor: Wordpress
Vendor: CVE Published:; 9 July 2024

Summary

The vulnerability in the Panda Video plugin for WordPress enables Local File Inclusion through the 'selected_button' parameter. Authenticated users with Contributor-level access and above can exploit this flaw to include and execute arbitrary files on the server. This opens up pathways for bypassing access controls, exfiltrating sensitive data, and executing malicious PHP code. Given the implications, it is essential for organizations utilizing this plugin to apply necessary mitigations and ensure their installations are on versions that are not affected.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/pandavideo/tru...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 9, 2024