CVE-2024-56249

Critical

Published: 02 January 2025

Published

02 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.4159 97.4th percentile

Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Upload a Web Shell to a Web Server.This issue affects WPMasterToolKit: from n/a through <= 1.13.1.

Security Summary

CVE-2024-56249 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the WPMasterToolKit WordPress plugin developed by Ludwig You. This flaw affects all versions of the wpmastertoolkit plugin from n/a through 1.13.1 and enables attackers to upload a web shell directly to the web server.

The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating exploitation over the network with low complexity but requiring high privileges, such as administrator access. An authenticated attacker with sufficient permissions can upload malicious files like web shells, achieving high impacts on confidentiality, integrity, and availability while changing scope to potentially compromise the broader server environment.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/wpmastertoolkit/vulnerability/wordpress-wpmastertoolkit-plugin-1-13-1-arbitrary-file-upload-vulnerability?_s_id=cve documents this arbitrary file upload issue in WPMasterToolKit version 1.13.1, providing details for security practitioners to assess and address exposure in affected WordPress installations.

Details

CWE(s): CWE-434

References

https://patchstack.com/database/Wordpress/Plugin/wpmastertoolkit/vulnerability/wordpress-wpmastertoolkit-plugin-1-13-1-arbitrary-file-upload-vulnerability?_s_id=cve
audit@patchstack.com