CVE-2024-13908

CVE-2024-13908 is an arbitrary file upload vulnerability in the SMTP by BestWebSoft plugin for WordPress, stemming from missing file type validation in the 'save_options' function. It affects all versions up to and including 1.1.9. The flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Authenticated attackers with Administrator-level access or higher can exploit this vulnerability over the network with low complexity. By leveraging the flawed 'save_options' function, they can upload arbitrary files to the affected WordPress site's server, potentially enabling remote code execution depending on server configuration and file types like web shells.

Mitigation details are outlined in plugin advisories and patches referenced in Wordfence's threat intelligence and WordPress plugin trac repositories. A fix appears in changeset 3250935, with code changes visible in the 1.1.8 tag of class-bwssmtp-settings.php, recommending immediate updates to versions beyond 1.1.9 for affected sites.