CVE-2024-11270

Name of the Vulnerable Software and Affected Versions WebinarPress plugin for WordPress versions up to, and including, 1.33.24

Description The WebinarPress plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the sync-import-imgs function and missing file type validation. This allows authenticated attackers, with subscriber-level access and above, to create arbitrary files that can lead to remote code execution.

Recommendations For versions up to, and including, 1.33.24, update to a version higher than 1.33.24 to resolve the issue. As a temporary workaround, consider disabling the sync-import-imgs function until a patch is available. Restrict access to the plugin to minimize the risk of exploitation.