CVE-2024-6054 – Auto Featured Image <= 1.2 - Authenticated (Contributor+) Arbitrary File Upload

https://notcve.org/view.php?id=CVE-2024-6054

26 Jun 2024 — The Auto Featured Image plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'create_post_attachment_from_url' function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Auto Featured Image para WordPress es vulnerable a cargas de archivos arbitrarias ... • https://plugins.trac.wordpress.org/browser/auto-featured-image/tags/1.2/auto-featured-image.php#L167 • CWE-434: Unrestricted Upload of File with Dangerous Type •