CVE-2024-7384
Published: 22 August 2024
Summary
CVE-2024-7384 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Acymailing Acymailing. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The AcyMailing plugin for WordPress, an email newsletter and marketing automation component, is affected by an arbitrary file upload vulnerability in all versions through 9.7.2. The flaw stems from missing file type validation inside the acym_extractArchive function, which permits upload of attacker-controlled files to the server and is tracked as CWE-434 with a CVSS 3.1 score of 7.5.
Authenticated users holding Subscriber or higher privileges can exploit the issue over the network to place arbitrary files on the site, potentially leading to remote code execution. The attack requires no user interaction and succeeds when the attacker can reach the affected extraction routine.
Public references point to a fix committed in changeset 3137644 within the WordPress plugin repository, with corresponding updates reflected in the AcyMailing changelog and developer listings; site administrators should apply the patched version to close the upload vector.
EPSS remains flat at its recorded peak of 0.1119 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48320
Vulnerability details
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2.…
more
This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.