CVE-2024-6321

Name of the Vulnerable Software and Affected Versions: ScrollTo Bottom plugin for WordPress versions up to, and including, 1.1.1

Description: The issue is due to missing nonce validation and missing file type validation in the options page function, making it possible for unauthenticated attackers to upload arbitrary files on the affected site's server. This may lead to remote code execution via a forged request if a site administrator can be tricked into performing an action such as clicking on a link.

Recommendations: For versions up to, and including, 1.1.1, update to a version that includes nonce validation and file type validation in the options page function to prevent arbitrary file uploads. As a temporary workaround, consider restricting access to the options page function until a patch is available. Additionally, be cautious of links from untrusted sources to minimize the risk of exploitation.