CVE-2024-9461
Published: 26 November 2024
Summary
CVE-2024-9461 is a high-severity OS Command Injection (CWE-78) vulnerability in Boldgrid Total Upkeep. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid is affected by a remote code execution vulnerability in all versions through 1.16.6. The flaw exists in the cron_interval parameter and stems from missing input validation and sanitization, corresponding to CWE-78. It carries a CVSS 3.1 score of 7.2 and can be reached over the network.
Authenticated users with Administrator privileges or higher can supply crafted input to the parameter and execute arbitrary code on the underlying server. No user interaction is required, and the attack impacts confidentiality, integrity, and availability.
Public references include the vulnerable code path in the plugin repository and a detailed entry from Wordfence that identifies the affected component and version range. The EPSS score has remained flat at 0.0669 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50311
Vulnerability details
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.6 via the cron_interval parameter. This is due to missing input…
more
validation and sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.