PT-2025-1860 · Gpt4+5 · Gpt4+5
Lucio Sá
·
Published
2025-01-07
·
Updated
2025-01-12
·
CVE-2024-12471
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
The Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator plugin for WordPress versions up to, and including, 1.3.1
Description
The issue is related to a missing capability check and file type validation on the
add image to library AJAX action function. This allows authenticated attackers with subscriber-level access and above to upload arbitrary files, making remote code execution possible.Recommendations
For versions up to, and including, 1.3.1, update to version 1.3.2 to patch the security flaw.
As a temporary workaround, consider disabling the
add image to library AJAX action function until a patch is available.
Restrict access to the add image to library function to minimize the risk of exploitation.Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Chatgpt
Dall-E
Dezgo Ai Text & Image Generator
Gpt4
Pexels
Stable Diffusion