CVE-2024-10586: Debug Tool <= 2.2 - Unauthenticated Arbitrary File Creation
First published: Sat Nov 09 2024(Updated: )
The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary files such as .php files that can be leveraged for remote code execution.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WordPress Debug Tool | <=2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-10586?
CVE-2024-10586 is rated as a medium severity vulnerability due to the risk of arbitrary file creation by unauthenticated attackers.
How do I fix CVE-2024-10586?
To fix CVE-2024-10586, update the Debug Tool plugin to version 2.3 or later which addresses the vulnerability.
Who is affected by CVE-2024-10586?
CVE-2024-10586 affects all versions of the WordPress Debug Tool plugin up to and including version 2.2.
What exploit method is used in CVE-2024-10586?
The exploit method for CVE-2024-10586 involves missing capability checks and file type validation, allowing arbitrary file creation.
Is CVE-2024-10586 easy to exploit?
Yes, CVE-2024-10586 is considered easy to exploit as it can be executed by unauthenticated users.
- agent/title
- agent/weakness
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/severity
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/wordpress
- canonical/wordpress debug tool