CVE-2024-10586

Name of the Vulnerable Software and Affected Versions Debug Tool plugin for WordPress versions up to, and including, 2.2

Description The issue is related to arbitrary file creation due to a missing capability check on the dbt pull image() function and missing file type validation. This allows unauthenticated attackers to create arbitrary files, such as .php files, which can be leveraged for remote code execution.

Recommendations For versions up to, and including, 2.2, update the Debug Tool plugin to the latest version to mitigate risks. As a temporary workaround, consider restricting access to the dbt pull image() function until a patch is available. Additionally, review the code for potential exploits and ensure that file type validation is properly implemented to prevent arbitrary file creation.