Vulnerabilities > CVE-2024-10586

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

CWE-862

critical

NVD

Published: 2024-11-09

Updated: 2024-11-12

Summary

The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary files such as .php files that can be leveraged for remote code execution.

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/5e9d5c93-dcd7-450e-8c52-5c95fc5473d2?source=cve
https://plugins.trac.wordpress.org/browser/debug-tool/trunk/tools/image-puller.php#L120

Vulnerabilities > CVE-2024-10586 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2024-10586"}]}

Summary

Common Weakness Enumeration (CWE)

References

Vulnerabilities > CVE-2024-10586