Advanced AJAX Page Loader <= 2.7.7 - Cross-Site Request Forgery to Arbitrary File Upload
CVE-2024-6310

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Advanced Ajax Page Loader
Vendor
CVE Published:
9 July 2024

Summary

The Advanced AJAX Page Loader plugin for WordPress is susceptible to vulnerabilities that allow unauthenticated attackers to exploit Cross-Site Request Forgery. Due to insufficient nonce validation in the 'admin_init_AAPL' function and inadequate file type validation in the 'AAPL_options_validate' function, attackers can upload files to the server. This flaw poses a significant security risk, as it enables malicious users to potentially execute arbitrary code if they can manipulate a site administrator into interacting with a crafted request.

Affected Version(s)

Advanced AJAX Page Loader * <= 2.7.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/advanced-ajax-...
https://plugins.trac.wordpress.org/browser/advanced-ajax-...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

István Márton
.