cbcvebase.
CVE-2024-6366
published 2024-07-29

CVE-2024-6366: The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async…

PriorityP277critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
28.99%
97.9th percentile
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.

Affected

1 ranges
VendorProductVersion rangeFixed in
cozmoslabsprofile_builder< 3.11.83.11.8

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/async-upload.php
path/wp-content/plugins/profile-builder
otherwppb_upload=true
otheraction=upload-attachment
  • Fingerprint vulnerable installations by checking for the string '/plugins/profile-builder' in the homepage body before probing the upload endpoint.
  • The exploit uses a GIF magic bytes header (GIF89a) with a .gif extension and image/jpeg Content-Type to bypass file type checks during async upload.
  • ·The _wpnonce value used in the PoC ('e8') is a placeholder/stub — a real nonce is not required for exploitation due to the missing authorisation check, but scanners may need to adjust this value.
  • ·The vulnerability only affects User Profile Builder plugin versions before 3.11.8; installations at 3.11.8 or later are not vulnerable.
  • ·The Nuclei template uses a randomised filename (rand_text_alpha) for each probe, so static filename-based detection will not reliably catch all exploit attempts — focus on the 'wppb_upload' form field and endpoint instead.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.