CVE-2024-6310

Name of the Vulnerable Software and Affected Versions: Advanced AJAX Page Loader plugin for WordPress versions up to, and including, 2.7.7

Description: The issue is due to missing nonce validation in the admin init AAPL function and missing file type validation in the AAPL options validate function. This allows unauthenticated attackers to upload arbitrary files on the affected site's server, potentially making remote code execution possible via a forged request if they can trick a site administrator into performing an action such as clicking on a link.

Recommendations: For versions up to, and including, 2.7.7, update to a version that includes the necessary nonce and file type validations to prevent Cross-Site Request Forgery to Arbitrary File Upload. As a temporary workaround, consider disabling the admin init AAPL and AAPL options validate functions until a patch is available. Restrict access to the plugin's file upload functionality to minimize the risk of exploitation.