CVE-2020-24186: Malicious File Upload
First published: Mon Aug 24 2020(Updated: )
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gvectors Wpdiscuz | >=7.0<=7.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
- http://packetstormsecurity.com/files/163012/WordPress-wpDiscuz-7.0.4-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/163302/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2020-24186.
What is the severity of CVE-2020-24186?
The severity of CVE-2020-24186 is critical.
What is the affected software?
The affected software is the gVectors wpDiscuz plugin version 7.0 through 7.0.4 for WordPress.
What can an unauthenticated user do with CVE-2020-24186?
An unauthenticated user can upload any type of file, including PHP files, via the wmuUploadFiles AJAX action.
Are there any known fixes for CVE-2020-24186?
There are no known fixes for CVE-2020-24186 at the moment. It is recommended to disable or remove the gVectors wpDiscuz plugin until a patch is available.
- collector/nvd-index
- vendor/gvectors
- canonical/gvectors wpdiscuz
- version/gvectors wpdiscuz/7.0
- version/gvectors wpdiscuz/7.0.4