WordPress Plugin Vulnerabilities

MoveTo <= 6.2 - Unauthenticated Arbitrary File Upload

Description

The moveto plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in an unknown function in all versions up to, and including, 6.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
moveto
No known fix

References

CVE
CVE-2024-25913
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/541551d8-5510-43ff-b685-783d0d94c4bb

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
be9ad81e-ede8-4485-bef7-f14b783d84d7

Timeline

Publicly Published
2024-02-12 (about 2 years ago)
Added
2024-02-14 (about 2 years ago)
Last Updated
2024-02-14 (about 2 years ago)

Other

Published
Title
Published
2024-09-12
Title
MStore API – Create Native Android & iOS Apps On The Cloud < 4.15.4 - Authenticated (Subscriber+) Limited Arbitrary File Upload
Published
2014-08-01
Title
Deep-Blue 1.9.2 - Arbitrary File Upload
Published
2021-04-11
Title
College Publisher Import <= 0.1 - Arbitrary File Upload to RCE
Published
2013-11-29
Title
OptimizePress Theme < 1.6 - Unauthenticated Arbitrary File Upload
Published
2025-07-23
Title
Ebook Store < 5.8013 - Unauthenticated Arbitrary File Upload