CVE-2024-13908
Published: 08 March 2025
Summary
CVE-2024-13908 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Bestwebsoft Smtp. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and patching of the specific flaw in the SMTP plugin's save_options function to prevent arbitrary file uploads.
Mandates information input validation at critical entry points like the save_options function to enforce file type checks and block unrestricted uploads.
Deploys malicious code protection mechanisms to scan and prevent execution of dangerous files uploaded via the vulnerable plugin function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vuln in public-facing WordPress plugin directly enables exploitation of the application (T1190) and facilitates ingress of malicious files like web shells (T1105, T1505.003) for RCE.
NVD Description
The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Administrator-level…
more
access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Deeper analysisAI
CVE-2024-13908 is an arbitrary file upload vulnerability in the SMTP by BestWebSoft plugin for WordPress, stemming from missing file type validation in the 'save_options' function. It affects all versions up to and including 1.1.9. The flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
Authenticated attackers with Administrator-level access or higher can exploit this vulnerability over the network with low complexity. By leveraging the flawed 'save_options' function, they can upload arbitrary files to the affected WordPress site's server, potentially enabling remote code execution depending on server configuration and file types like web shells.
Mitigation details are outlined in plugin advisories and patches referenced in Wordfence's threat intelligence and WordPress plugin trac repositories. A fix appears in changeset 3250935, with code changes visible in the 1.1.8 tag of class-bwssmtp-settings.php, recommending immediate updates to versions beyond 1.1.9 for affected sites.
Details
- CWE(s)