CVE-2024-11150

Name of the Vulnerable Software and Affected Versions WordPress User Extra Fields plugin versions up to, and including, 16.6

Description The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete tmp uploaded file() function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted, such as wp-config.php.

Recommendations For WordPress User Extra Fields plugin versions up to, and including, 16.6, update to a version later than 16.6 to mitigate the risk of arbitrary file deletion. As a temporary workaround, consider disabling the delete tmp uploaded file() function until a patch is available. Restrict access to sensitive files, such as wp-config.php, to minimize the risk of exploitation.