Default Thumbnail Plus <= 1.0.2.3 – Authenticated (Contributor+) Arbitrary File Upload | CVE 2024-6161 | Plugin Vulnerabilities

Description

The Default Thumbnail Plus plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'get_cache_image' function in all versions up to, and including, 1.0.2.3. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

default-thumbnail-plus

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/046f11b6-7d1a-4bd3-8250-4c5a50fab3ff

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

12919394-c4f0-4b60-8413-b2daae1f6b7a

Timeline

Publicly Published

2024-07-08 (about 1 year ago)

Added

2024-07-08 (about 1 year ago)

Last Updated

2024-07-09 (about 1 year ago)

Other

Published

Title

Published

2026-04-03

Title

Listeo-Core - Directory Plugin by Purethemes < 2.0.28 - Unauthenticated Arbitrary Media Upload

Published

2025-07-14

Title

HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. < 2.2.2 - Unauthenticated Arbitrary File Upload

Published

2025-12-01

Title

SureMail < 1.9.1 - Unauthenticated Arbitrary File Upload

Published

2025-07-11

Title

BeeTeam368 Extensions < 2.3.6 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2015-03-25

Title

NextGEN Gallery < 2.0.77.3 - CSRF & Arbitrary File Upload