cbcvebase.
CVE-2024-8856
published 2024-11-16

CVE-2024-8856: The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
93.71%
99.8th percentile
The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affected

2 ranges
VendorProductVersion rangeFixed in
revmakxbackup_and_staging_by_wp_time_capsule< 1.22.221.22.22
revmakxbackup_and_staging_by_wp_time_capsule<= 1.22.21

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/index.php
path/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/files/
filenameUploadHandler.php
filename00.php
yara
id: CVE-2024-8856 — Nuclei template targeting POST to /wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/index.php with multipart PHP file upload, followed by GET to /wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/files/*.php
  • Monitor for unauthenticated POST requests to the vulnerable upload endpoint; the path /wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/index.php with a multipart body containing a .php filename is a strong indicator of exploitation.
  • Detect bypass technique: attacker uses a PHP filename whose total length matches that of allowed extensions (e.g., '.crypt' = 6 chars), such as '00.php', to pass the flawed extension-length check in UploadHandler.php.
  • Alert on GET requests to /wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/files/*.php, which indicates a previously uploaded webshell is being accessed for RCE.
  • Use FOFA/PublicWWW fingerprint query to identify exposed vulnerable WordPress instances: search for body containing '/wp-content/plugins/wp-time-capsule/'.
  • Successful exploit response contains JSON keys 'url":', '"files":', and '"deleteType":' in the response body from the upload endpoint — use these as detection words in WAF/IDS rules.
  • The exploit sends Content-Type: text/php (or application/x-php) for the uploaded file part in the multipart request — flag multipart uploads to WordPress plugin paths where the file part Content-Type is a PHP MIME type.
  • ·The vulnerability affects all versions up to and including 1.22.21; the exploit-db PoC was tested specifically against version 1.21.16, so the exact upload path or behavior may vary slightly across sub-versions.
  • ·The Nuclei template uses a randomized 2-character base filename (randbase(2)) for the uploaded PHP file, meaning the exact filename in the upload path will vary per exploitation attempt — pattern-match on the directory path rather than a fixed filename.
  • ·No authentication is required to exploit this vulnerability; all detections should be scoped to unauthenticated (no valid WordPress session cookie) requests to the upload endpoint.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.