CVE-2024-2381: 
WordPress vulnerability analysis and mitigation

The AliExpress Dropshipping with AliNext Lite plugin for WordPress contains an arbitrary file upload vulnerability (CVE-2024-2381) discovered in June 2024. The vulnerability affects all versions up to and including 3.3.5, due to missing file type validation in the ajaxsaveimage function (Wordfence).

The vulnerability stems from missing file type validation in the ajaxsaveimage function, which allows authenticated users with subscriber-level access or higher to upload arbitrary files to the affected site's server. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability allows authenticated attackers to upload arbitrary files to the server, which could potentially lead to remote code execution. This poses a significant security risk as it could allow attackers to gain unauthorized access to the server and execute malicious code (Wordfence).

Users should update to version 3.3.6 or later of the AliExpress Dropshipping with AliNext Lite plugin to address this vulnerability. If immediate updating is not possible, it is recommended to restrict access to the plugin's functionality to trusted administrators only (NVD).