CVE-2024-8856

Name of the Vulnerable Software and Affected Versions Backup and Staging by WP Time Capsule plugin for WordPress versions up to, and including, 1.22.21

Description The issue is related to arbitrary file uploads due to missing file type validation in the UploadHandler.php file and no direct file access prevention. This allows unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible. The estimated number of potentially affected devices worldwide is over 20,000 sites. The vulnerability can be exploited to inject backdoors or malware and take full control of affected websites.

Recommendations For versions up to, and including, 1.22.21, update the plugin to a version that includes the fix for this issue. As a temporary workaround, consider disabling the UploadHandler.php file until a patch is available. Restrict access to the UploadHandler.php file to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.