CVE-2024-6309

Name of the Vulnerable Software and Affected Versions: Attachment File Icons plugin for WordPress versions up to, and including, 1.3

Description: The issue is due to missing nonce validation in the afi overview function and missing file type validation in the upload icons function, making it possible for unauthenticated attackers to upload arbitrary files on the affected site's server. This may lead to remote code execution via a forged request if an attacker can trick a site administrator into performing an action such as clicking on a link.

Recommendations: For Attachment File Icons plugin for WordPress versions up to, and including, 1.3: As a temporary workaround, consider disabling the afi overview and upload icons functions until a patch is available. Restrict access to the plugin's upload functionality to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.