Arbitrary File Deletion Vulnerability in MaxiBlocks Plugin
CVE-2024-6885

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Maxiblocks: 2200+ Patterns, 190 Pages, 14.2k Icons & 100 Styles
Vendor: CVE Published:; 23 July 2024

What is CVE-2024-6885?

The MaxiBlocks plugin for WordPress, specifically in versions up to and including 1.9.2, contains a security vulnerability allowing authenticated users with Subscriber-level access and higher to perform arbitrary file deletions. This issue arises from inadequate validation of file paths within the maxi_remove_custom_image_size and maxi_add_custom_image_size functions. When exploited, attackers may delete critical files on the server, such as wp-config.php, which could facilitate remote code execution and jeopardize the security of the entire WordPress installation.

Affected Version(s)

MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles * <= 1.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/maxi-blocks/ta...

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 23, 2024
Vulnerability Reserved
Jul 18, 2024

Credit

Lucio Sá

JSON

Wordpress

What is CVE-2024-6885?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Credit