WordPress Plugin Vulnerabilities

WP STAGING WordPress Backup Plugin – Migration Backup Restore < 3.5.0 - Admin+ Arbitrary File Upload

Description

The WP STAGING WordPress Backup Plugin – Migration Backup Restore plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wpstg_processing AJAX action in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
wp-staging
Fixed in 3.5.0

References

CVE
CVE-2024-3412
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ebb1072-ea05-4914-961d-0d8f20248078

Miscellaneous

Original Researcher
haidv35
Verified
No
WPVDB ID
82633f41-a1ca-4317-867d-679b38e42fec

Timeline

Publicly Published
2024-05-28 (about 1 year ago)
Added
2024-05-28 (about 1 year ago)
Last Updated
2024-05-28 (about 1 year ago)

Other

Published
Title
Published
2025-01-07
Title
4ECPS Web Forms <= 0.2.18 - Unauthenticated Arbitrary File Upload
Published
2026-03-12
Title
Pix for WooCommerce < 1.6.0 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
PDW File Browser - upload.php Arbitrary File Upload
Published
2024-12-11
Title
Opt-In Downloads <= 4.07 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2014-08-01
Title
Xerte Online <= 0.35 - File Upload