CVE-2024-13418

Name of the Vulnerable Software and Affected Versions WordPress (affected versions not specified)

Description The issue is related to a missing capability check on the ajaxUploadFonts() function in various WordPress plugins and themes, allowing authenticated attackers with Subscriber-level access and above to upload arbitrary files. This can potentially lead to remote code execution. The issue was escalated to Envato over two months ago and, while partially patched, remains vulnerable.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.