Arbitrary File Upload Vulnerability in AcyMailing Plugin
CVE-2024-7384

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Acymailing – An Ultimate Newsletter Plugin And Marketing Automation Solution For WordPress
Vendor: CVE Published:; 22 August 2024

Summary

AcyMailing, the popular newsletter plugin for WordPress, has been identified with a vulnerability that allows authenticated attackers to upload arbitrary files to the server. This is due to inadequate file type validation in the acym_extractArchive function, affecting all versions up to and including 9.7.2. Attackers with Subscriber-level access or higher can exploit this flaw, potentially leading to remote code execution. Website administrators using the AcyMailing plugin should apply necessary updates and implement additional security measures to mitigate the risks associated with this vulnerability.

Affected Version(s)

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress * <= 9.7.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/acymailing/tru...

https://wordpress.org/plugins/acymailing/#developers

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 22, 2024
Vulnerability Reserved
Aug 1, 2024

Credit

Arkadiusz Hydzik