CVE-2024-6885

Name of the Vulnerable Software and Affected Versions The MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles plugin for WordPress versions up to, and including, 1.9.2

Description The issue is related to insufficient file path validation in the maxi remove custom image size and maxi add custom image size functions. This allows authenticated attackers with Subscriber-level access and above to delete arbitrary files on the server, potentially leading to remote code execution if critical files like wp-config.php are deleted.

Recommendations For versions up to, and including, 1.9.2, as a temporary workaround, consider disabling the maxi remove custom image size and maxi add custom image size functions until a patch is available. Restrict access to these functions to minimize the risk of exploitation. Avoid using these functions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.