CVE-2024-6366
Published: 29 July 2024
Summary
CVE-2024-6366 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Cozmoslabs Profile Builder. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The User Profile Builder WordPress plugin before version 3.11.8 is affected by CVE-2024-6366, a missing authorization vulnerability (CWE-434) that permits unauthenticated users to invoke the WordPress async upload handler. The flaw carries a CVSS 3.1 score of 9.1 and allows direct interaction with media upload functionality without any access controls.
Unauthenticated attackers reachable over the network can exploit the issue to upload arbitrary media files, resulting in high impact to confidentiality and integrity while availability remains unaffected.
The referenced WPScan advisory identifies the affected plugin versions and indicates that the issue is resolved in release 3.11.8. The associated EPSS score remains elevated near 0.92 with no material rise from a low baseline reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47473
Vulnerability details
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated media file upload vulnerability in the public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and facilitates ingress tool transfer (T1105) by allowing attackers to upload arbitrary files to the server without authentication.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.