CVE-2024-49253: 
WordPress vulnerability analysis and mitigation

The Analyse Uploads WordPress plugin contains a Relative Path Traversal vulnerability that affects all versions up to and including 0.5. The vulnerability was discovered by researcher stealthcopter and was publicly disclosed on October 14, 2024, receiving the identifier CVE-2024-49253 (WPScan, Patchstack).

The vulnerability is classified as a Relative Path Traversal (CWE-23) issue that allows for arbitrary file deletion. The flaw exists in the jpntimetodie() function and is caused by insufficient file path validation. The vulnerability has received a CVSS v3.1 base score of 8.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H ([Patchstack](https://patchstack.com/database/vulnerability/analyse-uploads/wordpress-analyse-uploads-plugin-0-5-arbitrary-file-deletion-vulnerability?s_id=cve)).

This vulnerability allows unauthenticated attackers to delete arbitrary files on the server. The impact is particularly severe as it can lead to remote code execution when critical files such as wp-config.php are deleted. The ability to delete arbitrary files could result in website breakage and loss of functionality (WPScan).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to either implement the virtual patch or consider removing the plugin until a security update is released (Patchstack).