Vulnerability Description
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gvectors | Wpdiscuz | >= 7.0, <= 7.0.4 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-UploaExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/163012/WordPress-wpDiscuz-7.0.4-Remote-CodeExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/163302/WordPress-wpDiscuz-7.0.4-Shell-UploaExploitThird Party AdvisoryVDB Entry
- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerabilExploitThird Party Advisory
- http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-UploaExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/163012/WordPress-wpDiscuz-7.0.4-Remote-CodeExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/163302/WordPress-wpDiscuz-7.0.4-Shell-UploaExploitThird Party AdvisoryVDB Entry
- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerabilExploitThird Party Advisory
FAQ
What is CVE-2020-24186?
CVE-2020-24186 is a vulnerability with a CVSS score of 10.0 (CRITICAL). A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the...
How severe is CVE-2020-24186?
CVE-2020-24186 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-24186?
Check the references section above for vendor advisories and patch information. Affected products include: Gvectors Wpdiscuz.