CVE-2024-39639 – WordPress File Upload plugin <= 4.24.7 - Broken Access Control + CSRF vulnerability
https://notcve.org/view.php?id=CVE-2024-39639
Broken Access Control vulnerability in Nickolas Bossinas WordPress File Upload allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress File Upload: from n/a through 4.24.7. The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wfu_ajax_action_save_shortcode() function in versions up to, and including, 4.24.7. This makes it possible for authenticated attackers, with contributor-level access and above, to save shortcodes • https://patchstack.com/database/vulnerability/wp-file-upload/wordpress-wordpress-file-upload-plugin-4-24-7-broken-access-control-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVE-2014-125110 – wp-file-upload Plugin wfu_ajaxactions.php wfu_ajax_action_callback cross site scripting
https://notcve.org/view.php?id=CVE-2014-125110
A vulnerability has been found in wp-file-upload Plugin up to 2.4.3 on WordPress and classified as problematic. Affected by this vulnerability is the function wfu_ajax_action_callback of the file lib/wfu_ajaxactions.php. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 2.4.4 is able to address this issue. • https://github.com/wp-plugins/wp-file-upload/commit/c846327df030a0a97da036a2f07c769ab9284ddb https://github.com/wp-plugins/wp-file-upload/releases/tag/2.4.4 https://vuldb.com/?ctiid.258781 https://vuldb.com/?id.258781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •