CVE-2023-49814: 
WordPress vulnerability analysis and mitigation

The Symbiostock – Sell Photos Online For Free! WordPress plugin contains an Unrestricted Upload of File with Dangerous Type vulnerability (CVE-2023-49814) affecting all versions up to and including 6.0.0. The vulnerability was discovered by Rafie Muhammad and publicly disclosed on December 5, 2023 (Patchstack, WPScan).

The vulnerability is classified as an arbitrary file upload vulnerability due to missing file type validation in the plugin. It has received a CVSS v3.1 base score of 7.2 (High) from NIST and 9.1 (Critical) from Patchstack. The vulnerability requires high privileges (Shop Manager level or above) and no user interaction, with attack vector being network-based (NVD).

This vulnerability could allow authenticated attackers with shop manager-level access or above to upload arbitrary files to the affected site's server, potentially leading to remote code execution (WPScan).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).