CVE-2024-10590

Name of the Vulnerable Software and Affected Versions Opt-In Downloads plugin for WordPress versions up to, and including, 4.07

Description The issue is related to missing file type validation in the admin upload() function, allowing authenticated attackers with Subscriber-level access and above to upload arbitrary files on the affected site's server. This may make remote code execution possible, particularly on NGINX servers due to the presence of an .htaccess file, unless another vulnerability is present.

Recommendations For versions up to, and including, 4.07, consider disabling the admin upload() function until a patch is available to prevent arbitrary file uploads. Restrict access to the Opt-In Downloads plugin to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.