Arbitrary File Upload Vulnerability in School Management System for WordPress
CVE-2024-9659

9.8CRITICAL

Key Information:

Vendor: Wordpress
Vendor: CVE Published:; 23 November 2024

Badges

👾 Exploit Exists

What is CVE-2024-9659?

The School Management System for WordPress plugin is susceptible to an arbitrary file upload vulnerability due to inadequate file type validation within the mj_smgt_user_avatar_image_upload() function. This flaw is present in all versions up to and including 91.5.0, allowing unauthenticated users to potentially upload malicious files to the server of an affected site. This vulnerability could lead to remote code execution, facilitating various attack vectors that may compromise the integrity and security of the server.

References

https://codecanyon.net/item/school-management-system-for-...

https://www.wordfence.com/threat-intel/vulnerabilities/id...

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Nov 26, 2024
Vulnerability published
Nov 23, 2024

Wordpress

Badges

What is CVE-2024-9659?

References

EPSS Score

CVSS V3.1

Timeline