CVE-2024-7626

Name of the Vulnerable Software and Affected Versions The WP Delicious – Recipe Plugin for Food Bloggers plugin for WordPress versions up to, and including, 1.6.9

Description The issue is related to insufficient file path validation in the save edit profile details() function, allowing authenticated attackers with subscriber-level access and above to move arbitrary files on the server. This can lead to remote code execution when the right file is moved, such as wp-config.php, and also enables the reading of arbitrary files that may contain sensitive information.

Recommendations For versions up to, and including, 1.6.9, update to a version higher than 1.6.9 to prevent arbitrary file movement and reading. As a temporary workaround, consider restricting access to the save edit profile details() function until a patch is available. Restrict access to sensitive files like wp-config.php to minimize the risk of exploitation.