CVE-2024-6366
published 2024-07-29CVE-2024-6366: The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async…
PriorityP277critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
28.99%
97.9th percentile
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cozmoslabs | profile_builder | < 3.11.8 | 3.11.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Fingerprint vulnerable installations by checking for the string '/plugins/profile-builder' in the homepage body before probing the upload endpoint. ↗
- →The exploit uses a GIF magic bytes header (GIF89a) with a .gif extension and image/jpeg Content-Type to bypass file type checks during async upload. ↗
- ·The _wpnonce value used in the PoC ('e8') is a placeholder/stub — a real nonce is not required for exploitation due to the missing authorisation check, but scanners may need to adjust this value. ↗
- ·The vulnerability only affects User Profile Builder plugin versions before 3.11.8; installations at 3.11.8 or later are not vulnerable. ↗
- ·The Nuclei template uses a randomised filename (rand_text_alpha) for each probe, so static filename-based detection will not reliably catch all exploit attempts — focus on the 'wppb_upload' form field and endpoint instead. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
User Profile Builder < 3.11.8 - File Upload
nuclei·CVSS 9.1
CVE-2024-6366 [CRITICAL] User Profile Builder < 3.11.8 - File Upload
User Profile Builder < 3.11.8 - File Upload
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
Template:
id: CVE-2024-6366
info:
name: User Profile Builder < 3.11.8 - File Upload
author: s4e-io
severity: high
description: |
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
impact: |
Unauthenticated attackers can upload arbitrary media files through the async upload functionality, potentially uploading malicious files to the server.
remediation: |
Update User Profile Builder plugin to version 3.11.8 or later to address
No writeups or analysis indexed.
2024-07-29
Published