CVE-2024-6161

Name of the Vulnerable Software and Affected Versions: Default Thumbnail Plus plugin for WordPress versions up to, and including, 1.0.2.3

Description: The issue is related to missing file type validation in the get cache image function, allowing authenticated attackers with contributor-level and above permissions to upload arbitrary files on the affected site's server. This may make remote code execution possible.

Recommendations: For versions up to, and including, 1.0.2.3, update to a version that includes the fix for the missing file type validation in the get cache image function to prevent arbitrary file uploads. As a temporary workaround, consider restricting the use of the get cache image function until a patch is available. Additionally, restrict access to the Default Thumbnail Plus plugin to minimize the risk of exploitation.