PT-2024-16745 · Tumult · Tumult Hype Animations
Dale Mavers
+1
·
Published
2024-11-28
·
Updated
2024-12-03
·
CVE-2024-11082
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Tumult Hype Animations plugin for WordPress versions up to, and including, 1.9.15
Description
The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the
hypeanimations panel() function. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.Recommendations
For versions up to, and including, 1.9.15, update to a version that includes the fix for this issue.
As a temporary workaround, consider disabling the
hypeanimations panel() function until a patch is available.Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tumult Hype Animations