Cyber Posture

CVE-2024-44373

Critical

Published: 19 August 2025

Published
19 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0157 81.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-44373 is a critical-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of path and content parameters at input interfaces to directly block path traversal exploitation in save_file.php.

AC-25 Reference Monitor good match
prevent

Implements a reference monitor to enforce file access policies, preventing unauthorized writes to arbitrary paths targeted by traversal attacks.

SC-7 Boundary Protection partial match
preventdetect

Boundary protection at web interfaces filters malicious path traversal payloads and monitors unauthenticated requests to the vulnerable endpoint.

NVD Description

A Path Traversal vulnerability in AllSky v2023.05.01 through v2024.12.06_06 allows an unauthenticated attacker to create a webshell and remote code execution via the path, content parameter to /includes/save_file.php.

Deeper analysisAI

CVE-2024-44373 is a path traversal vulnerability (CWE-22) affecting AllSky software versions from v2023.05.01 through v2024.12.06_06. The flaw resides in the /includes/save_file.php endpoint, where the path and content parameters are improperly handled, enabling an unauthenticated attacker to write arbitrary files. This leads to the creation of a webshell and subsequent remote code execution. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low complexity and lack of prerequisites. By crafting malicious requests to the vulnerable endpoint, the attacker can upload a webshell, gaining persistent remote code execution on the affected AllSky instance. This could allow full server compromise, including data exfiltration, lateral movement, or further persistence.

Advisories and references, including the research post at gh0stmezh.wordpress.com, the AllSky GitHub repository, the specific save_file.php source code, and a Notion page detailing the CVE, provide additional technical analysis. Security practitioners should review these for patch status or workarounds, as no specific mitigation details are outlined in the core CVE description.

Details

CWE(s)
CWE-22

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-23536Shared CWE-22
CVE-2025-23422Shared CWE-22
CVE-2024-48885Shared CWE-22
CVE-2024-12849Shared CWE-22
CVE-2026-33656Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2025-59384Shared CWE-22
CVE-2026-3051Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2025-12062Shared CWE-22

References