WordPress Plugin Vulnerabilities

Wechat Social login <= 1.3.0 - Unauthenticated Arbitrary File Upload

Description

The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
wechat-social-login
No known fix

References

CVE
CVE-2024-9108
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/06881386-3c92-426b-948d-58e8a8bee624

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
1cc90780-4824-42f7-b01a-d91d10564b1c

Timeline

Publicly Published
2024-09-30 (about 1 year ago)
Added
2024-09-30 (about 1 year ago)
Last Updated
2024-10-01 (about 1 year ago)

Other

Published
Title
Published
2024-07-17
Title
Brizy – Page Builder < 2.4.45 - Authenticated (Contributor+) Arbitrary File Upload
Published
2024-10-14
Title
Azz Anonim Posting <= 0.9 - Unauthenticated Arbitrary File Upload
Published
2026-03-16
Title
Photography <= 7.7.5 - Authenticated (Editor+) Arbitrary File Upload
Published
2025-06-11
Title
Ovatheme Events Manager < 1.8.5 - Unauthenticated Arbitrary File Upload
Published
2023-12-14
Title
Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload