PT-2024-39435 · WordPress · Wechat Social Login Plugin

István Márton

Published

2024-10-01

Updated

2024-10-05

CVE-2024-9108

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Wechat Social login plugin for WordPress versions up to, and including, 1.3.0

Description The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the convert remoteimage to local function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible.

Recommendations For Wechat Social login plugin for WordPress versions up to, and including, 1.3.0, consider disabling the convert remoteimage to local function until a patch is available to prevent arbitrary file uploads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2024-9108

Affected Products

Wechat Social Login Plugin

PT-2024-39435 · WordPress · Wechat Social Login Plugin

CVE-2024-9108

Weakness Enumeration

Related Identifiers

Affected Products

References · 10