CVE-2024-12300

Name of the Vulnerable Software and Affected Versions AR for WordPress plugin for WordPress versions up to, and including, 7.3

Description The issue is related to unauthorized double extension file upload due to a missing capability check on the set ar featured image() function. This allows unauthenticated attackers to upload php files leveraging a double extension attack. However, the file is deleted immediately, and double extension attacks only work on select servers, making successful exploitation unlikely.

Recommendations For versions up to, and including, 7.3, consider disabling the set ar featured image() function until a patch is available to prevent unauthorized file uploads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.