CVE-2024-52429
WordPress WP Quick Setup plugin <= 2.0 - Arbitrary Plugin and Theme Installation to Remote Code Execution vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Unrestricted Upload of File with Dangerous Type vulnerability in Anton Hoelstad WP Quick Setup allows Upload a Web Shell to a Web Server.This issue affects WP Quick Setup: from n/a through 2.0.
La vulnerabilidad de carga sin restricciones de archivos con tipo peligroso en Anton Hoelstad WP Quick Setup permite cargar un shell web a un servidor web. Este problema afecta a WP Quick Setup: desde n/a hasta 2.0.
The WP Quick Setup plugin for WordPress is vulnerable to unauthorized plugin and theme installation due to a missing capability check on a function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins and themes which can be leveraged to achieve remote code execution.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-11-11 CVE Reserved
- 2024-11-15 CVE Published
- 2024-11-21 CVE Updated
- 2024-11-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-862: Missing Authorization
CAPEC
- CAPEC-650: Upload a Web Shell to a Web Server
References (1)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Wp Quick Setup Search vendor "Wp Quick Setup" | Wp Quick Setup Search vendor "Wp Quick Setup" for product "Wp Quick Setup" | >= 0.0 <= 2.0 Search vendor "Wp Quick Setup" for product "Wp Quick Setup" and version " >= 0.0 <= 2.0" | en |
Affected
| ||||||