Cyber Resilience

CVE-2024-9461

HighRCE

Published: 26 November 2024

Published
26 November 2024
Modified
22 May 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0669 91.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9461 is a high-severity OS Command Injection (CWE-78) vulnerability in Boldgrid Total Upkeep. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid is affected by a remote code execution vulnerability in all versions through 1.16.6. The flaw exists in the cron_interval parameter and stems from missing input validation and sanitization, corresponding to CWE-78. It carries a CVSS 3.1 score of 7.2 and can be reached over the network.

Authenticated users with Administrator privileges or higher can supply crafted input to the parameter and execute arbitrary code on the underlying server. No user interaction is required, and the attack impacts confidentiality, integrity, and availability.

Public references include the vulnerable code path in the plugin repository and a detailed entry from Wordfence that identifies the affected component and version range. The EPSS score has remained flat at 0.0669 with no material increase since disclosure.

EU & UK References

Vulnerability details

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.6 via the cron_interval parameter. This is due to missing input…

more

validation and sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

boldgrid
total upkeep
≤ 1.16.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References