CVE-2024-49314: 
WordPress vulnerability analysis and mitigation

The JiangQie Free Mini Program WordPress plugin versions through 2.5.2 contains an Unrestricted Upload of File with Dangerous Type vulnerability that allows attackers to upload a Web Shell to a Web Server. The vulnerability was discovered and reported on October 17, 2024, and was assigned CVE-2024-49314 with a CVSS v3.1 base score of 10.0 (Critical) (Patchstack).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). It has received a CVSS v3.1 base score of 10.0 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating that it is a network-accessible vulnerability requiring no privileges or user interaction to exploit, and can result in high impacts to confidentiality, integrity, and availability (Patchstack).

The vulnerability allows attackers to upload arbitrary files, including malicious web shells, to the target web server. This could lead to complete system compromise as web shells can provide attackers with the ability to execute arbitrary commands on the server (Patchstack).

Currently, there is no official fix available for this vulnerability. Website administrators are advised to either remove the plugin or implement strict file upload restrictions through web application firewall rules. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).