cbcvebase.
CVE-2024-43160
published 2024-08-13

CVE-2024-43160: Unrestricted Upload of File with Dangerous Type vulnerability in BerqWP allows Code Injection.This issue affects BerqWP: from n/a through 1.7.6.

PriorityP274critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
4.62%
90.5th percentile
Unrestricted Upload of File with Dangerous Type vulnerability in BerqWP allows Code Injection.This issue affects BerqWP: from n/a through 1.7.6.

Affected

1 ranges
VendorProductVersion rangeFixed in
berqwpberqwpn/a – 1.7.6

Detection & IOCsextracted from sources · hover to see the quote

path/api/store_webp.php
path/wp-json/optifer/v1/store-webp
commandimage="{{base64(num)}}"&url={{filename}}.txt&license_key_hash=d41d8cd98f00b204e9800998ecf8427e
  • Detect unauthenticated POST requests to /wp-json/optifer/v1/store-webp with a Content-Type of application/x-www-form-urlencoded; this endpoint accepts arbitrary file uploads without authentication or file type validation.
  • The exploit payload uses the parameter `license_key_hash` set to the MD5 hash of an empty string (d41d8cd98f00b204e9800998ecf8427e); monitor POST bodies to the store-webp endpoint for this specific hash value as a strong exploitation indicator.
  • Fingerprint vulnerable installations by checking for the presence of /wp-content/plugins/searchpro in page source; this path is used as the initial probe step before exploitation.
  • After a successful upload, the attacker retrieves the uploaded file via a GET request to the web root; monitor for GET requests to recently uploaded non-image files (e.g., .txt, .php) in the WordPress web root that were preceded by a POST to /wp-json/optifer/v1/store-webp.
  • The vulnerability is unauthenticated (no credentials or nonce required); any POST to /wp-json/optifer/v1/store-webp from an unauthenticated session should be treated as suspicious and investigated.
  • ·The vulnerable endpoint path differs between the plugin's internal PHP file (/api/store_webp.php) and the exposed WordPress REST API route (/wp-json/optifer/v1/store-webp); detections should cover both paths as the REST route is the externally reachable attack surface.
  • ·The exploit is confirmed for BerqWP versions up to and including 1.7.6; version 1.7.7 and later are remediated. Ensure version-based detection rules account for this boundary.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.