CVE-2024-13544: 
WordPress vulnerability analysis and mitigation

The Zarinpal Paid Download WordPress plugin through version 2.3 contains a file upload validation vulnerability that was discovered in early 2025. This security flaw affects the plugin's file handling functionality and impacts WordPress installations using the affected versions (WPScan, NVD).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The security flaw stems from improper validation of uploaded files in the plugin's file handling system (NVD).

The vulnerability allows high-privilege users such as administrators to upload arbitrary files to the server in scenarios where such uploads should be restricted, particularly in multisite WordPress setups. This could potentially lead to unauthorized file execution on the affected server (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the Zarinpal Paid Download plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (WPScan).