WordPress Plugin Vulnerabilities

WPMasterToolKit < 1.14.0 - Authenticated (Admin+) Arbitrary File Upload

Description

The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.13.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
wpmastertoolkit
Fixed in 1.14.0

References

CVE
CVE-2024-56249
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/90d0b748-a56a-4932-8e43-751ca363725c

Miscellaneous

Original Researcher
l8BL
Verified
No
WPVDB ID
148cde6d-bca1-41f5-ac28-2140d237deaa

Timeline

Publicly Published
2024-12-30 (about 1 year ago)
Added
2025-01-08 (about 1 year ago)
Last Updated
2025-01-08 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
Right Now - Arbitrary File Upload
Published
2021-07-01
Title
PWA for WP & AMP < 1.7.33 - Authenticated (Subscriber+) Settings Change
Published
2024-10-30
Title
RSVPMaker for Toastmasters < 6.2.5 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
Sixtees - Shell Upload
Published
2024-10-21
Title
Portfolleo <= 1.2 - Authenticated (Subscriber+) Arbitrary File Upload