CVE-2024-10820: 
WordPress vulnerability analysis and mitigation

The WooCommerce Upload Files plugin for WordPress (versions up to and including 84.3) contains a critical vulnerability (CVE-2024-10820) that was discovered and disclosed on November 12, 2024. This vulnerability affects the upload_files() function due to missing file type validation, allowing unauthenticated attackers to upload arbitrary files to the affected site's server (NVD).

The vulnerability is classified with a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from insufficient file type validation in the upload_files() function, which could allow malicious file uploads. This vulnerability is categorized as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, which could potentially lead to remote code execution. This presents a severe security risk as it could allow attackers to take control of the affected WordPress installation (NVD).

The vulnerability has been patched in version 84.4 of the WooCommerce Upload Files plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks (CodeCanyon).