CVE-2024-10629

Name of the Vulnerable Software and Affected Versions GPX Viewer plugin for WordPress versions up to, and including, 2.2.8

Description The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv file upload() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server, which may make remote code execution possible.

Recommendations For versions up to, and including, 2.2.8, update the plugin to the latest version to mitigate risks. As a temporary workaround, consider disabling the gpxv file upload() function until a patch is available. Restrict access to the plugin's file upload functionality to minimize the risk of exploitation.