Pie Register < 3.8.3.3 – Unauthenticated Arbitrary File Upload | CVE 2024-27957 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the pie_save_registration function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: This vulnerability presents itself when the 'Anyone can register' option is enabled in options-general and the 'Upload File' field is added to the registration form.

Affects Plugins

Fixed in 3.8.3.3

References

CVE

URL

https://patchstack.com/database/wordpress/plugin/pie-register/vulnerability/wordpress-pie-register-plugin-3-8-3-1-unauthenticated-arbitrary-file-upload-vulnerability

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

6835b9d3-8d61-485a-aa2b-f88377156ad4

Timeline

Publicly Published

2024-03-13 (about 2 years ago)

Added

2024-03-20 (about 2 years ago)

Last Updated

2024-11-29 (about 1 year ago)

Other

Published

Title

Published

2021-10-21

Title

Catch Themes Demo Import < 1.8 - Admin+ Arbitrary File Upload

Published

2025-11-17

Title

Pie Forms for WP <= 1.6 - Unauthenticated Arbitrary File Upload

Published

2014-08-01

Title

Category List Portfolio Page 0.9 - Shell Upload

Published

2025-01-15

Title

Barcode Scanner with Inventory & Order Manager < 1.7.0 - Authenticated (Admin+) Arbitrary File Upload

Published

2024-05-13

Title

Kognetiks Chatbot for WordPress < 2.0.1 - Unauthenticated Arbitrary File Upload