Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2024-6366
Severity
9.1CRITICAL
EPSS
91.5%
top 0.33%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedJul 29
Description
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2