CVE-2024-25909: 
WordPress vulnerability analysis and mitigation

The WP Media folder plugin for WordPress contains an Unrestricted Upload of File with Dangerous Type vulnerability (CVE-2024-25909) affecting versions up to and including 5.7.2. The vulnerability was discovered on February 12, 2024, and was publicly disclosed on February 15, 2024. This security issue affects the plugin's file upload functionality and has been assigned a critical CVSS score of 9.9 (Patchstack).

The vulnerability stems from missing file type validation functionality in the WP Media folder plugin. This security flaw allows authenticated users with subscriber-level privileges or higher to upload arbitrary files to the affected site's server. The vulnerability has been assigned CWE-434 (Unrestricted Upload of File with Dangerous Type) and received a CVSS v3.1 score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (WPScan, Patchstack).

The vulnerability could potentially enable remote code execution on the affected server through the upload of malicious files. Given the critical CVSS score and the low complexity of exploitation, this vulnerability poses a significant risk to affected WordPress installations. The impact spans across confidentiality, integrity, and availability of the system, with all three aspects rated as 'High' in the CVSS scoring (Patchstack).

The vulnerability has been patched in version 5.7.3 of the WP Media folder plugin. Site administrators are strongly advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).