CVE-2024-13908: 
WordPress vulnerability analysis and mitigation

The SMTP by BestWebSoft plugin for WordPress contains a vulnerability (CVE-2024-13908) related to arbitrary file uploads. The vulnerability affects all versions up to and including 1.1.9, and was discovered in March 2025. The issue stems from missing file type validation in the 'save_options' function, which could potentially allow authenticated attackers with Administrator-level access to upload arbitrary files to the affected site's server (NVD Database).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v3.1 Base Score of 7.2 (HIGH). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and affecting only the local system scope (S:U). The impact metrics show high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) (NVD Database).

If exploited, this vulnerability could enable remote code execution on the affected server through the upload of malicious files. The attack requires administrator-level access, which somewhat limits its potential impact, but could be particularly dangerous if an attacker has already compromised an administrative account (NVD Database).

Website administrators should update the SMTP by BestWebSoft plugin to version 1.2.0 or later, which contains the fix for this vulnerability. If immediate updating is not possible, consider temporarily disabling the plugin or implementing additional access controls to restrict administrative access (NVD Database).