Unauthorized File Uploads through Async Upload Functionality

CVE-2024-6366

Currently unrated 🤨

Key Information

Vendor: Samsung
Status: User Profile Builder
Vendor: CVE Published:; 29 July 2024

Summary

The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.

Affected Version(s)

User Profile Builder < 3.11.8

Timeline

Vulnerability published.
Jul 29, 2024
Vulnerability Reserved.
Jun 27, 2024

Collectors

NVD DatabaseMitre Database

Credit

Michel Prunet

WPScan