Arbitrary File Upload Vulnerability in School Management System for WordPress
CVE-2024-9659
Key Information
- Vendor
- School Management System for WordPress
- Vendor
- CVE Published:
- 23 November 2024
Badges
Summary
The School Management System for WordPress plugin is susceptible to an arbitrary file upload vulnerability due to inadequate file type validation within the mj_smgt_user_avatar_image_upload() function. This flaw is present in all versions up to and including 91.5.0, allowing unauthenticated users to potentially upload malicious files to the server of an affected site. This vulnerability could lead to remote code execution, facilitating various attack vectors that may compromise the integrity and security of the server.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published