CVE-2024-11082: 
WordPress vulnerability analysis and mitigation

The Tumult Hype Animations plugin for WordPress contains a critical vulnerability (CVE-2024-11082) discovered in versions up to and including 1.9.15. The vulnerability stems from missing file type validation in the hypeanimations_panel() function, which allows authenticated users with Author-level access or higher to upload arbitrary files to the server (NVD).

The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434). It has received a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability (NVD, Wordfence).

The vulnerability allows authenticated attackers with Author-level privileges or higher to upload arbitrary files to the affected site's server, potentially enabling remote code execution. This could lead to complete compromise of the affected WordPress installation (NVD).

The vulnerability has been patched in version 1.9.16 of the Tumult Hype Animations plugin. Users are strongly advised to update to this latest version which implements additional checks for executable files during replacement (WordPress Plugin, GitHub Commit).