Multiple Page Generator Plugin – MPG < 4.0.3 – Authenticated (Editor+) Directory Traversal to Limited File Deletion | CVE 2024-10672 | Plugin Vulnerabilities

Description

The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server.

Affects Plugins

multiple-pages-generator-by-porthas

Fixed in 4.0.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8c21de03-4d62-4ecf-a2f1-57e0e416792b

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

bb74dd43-ffab-41a1-b91e-d683d916346d

Timeline

Publicly Published

2024-11-11 (about 1 year ago)

Added

2024-11-11 (about 1 year ago)

Last Updated

2024-11-12 (about 1 year ago)

Other

Published

Title

Published

2025-10-31

Title

Import WP – Export and Import CSV and XML files to WordPress < 2.14.17 - Authenticated (Admin+) Arbitrary File Read

Published

2026-01-06

Title

EmailKit < 1.6.2 - Authenticated (Author+) Arbitrary File Read via Path Traversal

Published

2026-06-16

Title

WP Travel Engine < 6.8.1 - Subscriber+ Arbitrary Media File Move via user_profile_image

Published

2022-03-16

Title

iQ Block Country < 1.2.13 - Admin+ Arbitrary File Deletion via Zip Slip

Published

2025-01-30

Title

Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.8.6 - Limited Arbitrary File Deletion