CVE-2024-8699

CWE-434Unrestricted File Upload3 documents3 sources
Severity
7.2HIGH
EPSS
0.9%
top 25.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Z-downloadsUrbanbase Z-downloads
Timeline
PublishedMay 15

Description

The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5unknown/z-downloads< 1.11.5
NVDurbanbase/z-downloads< 1.11.5

🔴Vulnerability Details

2
GHSA
GHSA-m7mh-68hv-jwrj: The Z-Downloads WordPress plugin before 12025-05-15
CVEList
Z-Downloads < 1.11.5 - Admin+ Arbitrary File Upload2025-05-15
CVE-2024-8699 (HIGH CVSS 7.2) | The Z-Downloads WordPress plugin be | cvebase.io