CVE-2024-9307

Unrestricted Upload of File with Dangerous Type (CWE-434)

Published: Nov 6, 2024 / Updated: 13d ago

010
CVSS 8.8EPSS 0.05%High
CVE info copied to clipboard

Summary

The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. This vulnerability allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages or upload arbitrary EXE files on the affected site's server. The vulnerability can lead to arbitrary web script execution when users access SVG files, and potential remote code execution if attackers can run uploaded EXE files or trick users into downloading and running them.

Impact

This vulnerability has severe potential impacts: 1. Cross-site scripting (XSS) attacks through injected malicious scripts in SVG files. 2. Remote code execution if attackers can upload and run EXE files or trick users into running them. 3. Privilege escalation, as users with Author-level access can perform unauthorized actions. 4. Data breaches due to potential unauthorized access to sensitive server information. 5. Website defacement through injected scripts. 6. Malware distribution via uploaded EXE files. The severity is high, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). This indicates a critical vulnerability requiring immediate attention. The attack vector is network-based, has low attack complexity, requires low privileges, and no user interaction, potentially leading to high impacts on confidentiality, integrity, and availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A specific patch is not mentioned in the provided information. However, since the vulnerability affects all versions up to and including 1.2.1 of the mFolio Lite plugin for WordPress, it is likely that a patched version (1.2.2 or higher) may be available or in development. The security team should immediately check for updates to the mFolio Lite plugin and apply them as soon as they become available.

Mitigation

1. Update the mFolio Lite plugin to a version higher than 1.2.1 if available. 2. If an update is not available, consider temporarily disabling the mFolio Lite plugin until a patch is released. 3. Implement strict access controls and regularly audit user permissions, especially for accounts with Author-level access and above. 4. Enable input validation and file type restrictions for all file uploads. 5. Implement a Web Application Firewall (WAF) to help detect and block malicious file uploads and script injections. 6. Regularly scan the website for unauthorized or suspicious files, especially in upload directories. 7. Educate site administrators and content creators about the risks of file uploads and the importance of verifying file sources. 8. Monitor server logs for any suspicious activities related to file uploads or execution of unexpected files. 9. Consider implementing additional authentication measures for critical actions within the WordPress admin panel.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9307. See article

Nov 6, 2024 at 6:54 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 6, 2024 at 6:54 AM
CVE Assignment

NVD published the first details for CVE-2024-9307

Nov 6, 2024 at 7:15 AM
CVSS

A CVSS base score of 9.9 has been assigned.

Nov 6, 2024 at 7:20 AM / nvd
Threat Intelligence Report

CVE-2024-9307 is a critical vulnerability in the mFolio Lite plugin for WordPress, with a CVSS score of 9.9, allowing authenticated attackers with Author-level access to upload arbitrary files and inject malicious scripts, potentially leading to severe impacts such as remote code execution and data breaches. Currently, there is no evidence of exploitation in the wild or public proof-of-concept exploits, but mitigations include updating the plugin, implementing strict access controls, and using a Web Application Firewall. A patch is likely in development, and users are advised to monitor for updates and apply them promptly. See article

Nov 6, 2024 at 4:23 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 20.4%)

Nov 7, 2024 at 10:05 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152369)

Nov 8, 2024 at 7:53 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Nov 8, 2024 at 9:20 PM / nvd
Static CVE Timeline Graph

Affected Systems

Themelooks/mfolio
+null more

Links to Mitre Att&cks

T1574.010: Services File Permissions Weakness
+null more

Attack Patterns

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
+null more

References

CVE-2024-9307 - Exploits & Severity - Feedly
This vulnerability allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages or upload arbitrary EXE files on the affected site's server. The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1.

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 4, 2024 to November 10, 2024)
WordPress Plugins with Reported Vulnerabilities Last Week Use constructor to create tables profit-products-tables-for-woocommerce Add Ribbon Shortcode add-ribbon Admin Amplify wpr-admin-amplify Advanced Video Player with Analytics advanced-video-player-with-analytics Adventure Bucket List adventure-bucket-list AgendaPress – Easily Publish Meeting Agendas and Programs on WordPress agendapress Ajax Content Filter ajax-content-filter Alert Me!
Security Bulletin 13 Nov 2024 - Cyber Security Agency of Singapore
This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges. 10, https:// nvd . nist .gov/vuln/detail/ CVE -2024-44102. CVE ...
Update Thu Nov 7 14:29:30 UTC 2024
Update Thu Nov 7 14:29:30 UTC 2024
CVE-2024-9307 - Exploits & Severity - Feedly
This vulnerability allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages or upload arbitrary EXE files on the affected site's server. The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1.
Critical - CVE-2024-9307 - The mFolio Lite plugin for WordPress is...
The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers,...
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI