CVE-2024-9849

Unrestricted Upload of File with Dangerous Type (CWE-434)

Published: Nov 16, 2024 / Updated: 4d ago

010
CVSS 8.8EPSS 0.05%High
CVE info copied to clipboard

Summary

The 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.6. This vulnerability affects authenticated attackers with Author-level access and above.

Impact

This vulnerability allows authenticated attackers with Author-level access or higher to upload arbitrary files to the affected site's server. This could potentially lead to remote code execution, giving attackers the ability to run malicious code on the server. The impact is severe, as it could compromise the confidentiality, integrity, and availability of the affected WordPress site. Attackers could potentially gain unauthorized access to sensitive data, modify or delete content, or disrupt the normal functioning of the website.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, since the vulnerability affects all versions up to and including 4.6, it is likely that a patched version newer than 4.6 may be available or in development. Users should check for updates from the plugin developer.

Mitigation

1. Update the 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin to a version newer than 4.6 if available. 2. If an update is not available, consider temporarily disabling the plugin until a patch is released. 3. Implement strict access controls and limit the number of users with Author-level access or above. 4. Regularly audit user accounts and their permission levels. 5. Implement additional security measures such as Web Application Firewalls (WAF) to help detect and prevent malicious file uploads. 6. Monitor server logs for any suspicious file upload activities. 7. Keep WordPress core, all themes, and other plugins up to date to maintain overall security posture.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9849. See article

Nov 16, 2024 at 3:38 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 16, 2024 at 3:38 AM
CVE Assignment

NVD published the first details for CVE-2024-9849

Nov 16, 2024 at 4:15 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Nov 16, 2024 at 4:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 20.6%)

Nov 16, 2024 at 10:07 AM
Static CVE Timeline Graph

Affected Systems

3dflipbook/3d_flipbook
+null more

Links to Mitre Att&cks

T1574.010: Services File Permissions Weakness
+null more

Attack Patterns

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
+null more

News

CVE-2024-9849
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
3D FlipBook Plugin Vulnerable to Arbitrary File Uploads
Creativeinteractivemedia - HIGH - CVE-2024-9849 The 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-9849 - WordPress Real 3D FlipBook Plugin File Upload Vulnerability
CVE ID : CVE-2024-9849 Published : Nov. 16, 2024, 4:15 a.m. 48 minutes ago Description : The 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Severity: 8.8
Content warning: WORDPRESS CREATIVEINTERACTIVEMEDIA REAL3D FLIPBOOK LITE – 3D FLIPBOOK, PDF VIEWER, PDF EMBEDDER CVE-2024-9849 CVE-2024-9849 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin https://www. cve.org/CVERecord?id=CVE-2024- 9849 https://www. wordfence.com/threat-intel/vul nerabilities/id/1f99b366-1a94-41ed-813a-bb13893604d0?source=cve https:// plugins.trac.wordpress.org/bro wser/real3d-flipbook-lite/tags/4.6/includes/plugin-admin.php#L77 # wordpress # creativeinteractivemedia # Real3DFlipbookLite –3DFlipBook,PDFViewer,PDFEmbedder # CVE_2024_9849 # bot
CVE-2024-9849
The 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution...
See 2 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI