CVE-2024-6132

Name of the Vulnerable Software and Affected Versions: Pexels: Free Stock Photos plugin for WordPress versions up to, and including, 1.2.2

Description: The issue is related to arbitrary file uploads due to missing file type validation in the pexels fsp images options validate function. This allows authenticated attackers with contributor-level and above permissions to upload arbitrary files on the affected site's server, potentially making remote code execution possible.

Recommendations: For versions up to, and including, 1.2.2, update to a version that includes the fix for the missing file type validation in the pexels fsp images options validate function. As a temporary workaround, consider restricting the pexels fsp images options validate function to prevent arbitrary file uploads until a patch is available. Additionally, restrict access to the plugin's image upload functionality to minimize the risk of exploitation.