CVE-2024-9307

Name of the Vulnerable Software and Affected Versions mFolio Lite plugin for WordPress version 1.2.1 and earlier

Description The issue is due to a missing capability check, allowing authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages or upload arbitrary EXE files on the affected site's server. This may make remote code execution possible if the attacker can also gain access to run the .exe file, or trick a site visitor into downloading and running the .exe file.

Recommendations For versions 1.2.1 and earlier, update to a version that includes a fix for the missing capability check to prevent arbitrary file uploads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.