Cyber Resilience

CVE-2024-7384

High

Published: 22 August 2024

Published
22 August 2024
Modified
27 September 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1119 93.7th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7384 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Acymailing Acymailing. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The AcyMailing plugin for WordPress, an email newsletter and marketing automation component, is affected by an arbitrary file upload vulnerability in all versions through 9.7.2. The flaw stems from missing file type validation inside the acym_extractArchive function, which permits upload of attacker-controlled files to the server and is tracked as CWE-434 with a CVSS 3.1 score of 7.5.

Authenticated users holding Subscriber or higher privileges can exploit the issue over the network to place arbitrary files on the site, potentially leading to remote code execution. The attack requires no user interaction and succeeds when the attacker can reach the affected extraction routine.

Public references point to a fix committed in changeset 3137644 within the WordPress plugin repository, with corresponding updates reflected in the AcyMailing changelog and developer listings; site administrators should apply the patched version to close the upload vector.

EPSS remains flat at its recorded peak of 0.1119 with no material post-disclosure increase.

EU & UK References

Vulnerability details

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2.…

more

This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

acymailing
acymailing
≤ 9.8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References