CVE-2024-49324: 
WordPress vulnerability analysis and mitigation

The Sovratec Case Management WordPress plugin version 1.0.0 and below contains an Unrestricted Upload of File with Dangerous Type vulnerability that allows unauthenticated attackers to upload a web shell to a web server. The vulnerability was discovered and reported by researcher stealthcopter on October 15, 2024, and was publicly disclosed on October 17, 2024. This security issue has been assigned CVE-2024-49324 (Patchstack).

The vulnerability has been assigned a Critical severity rating with a CVSS v3.1 base score of 9.8 (NIST) and 10.0 (Patchstack). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

This vulnerability is considered highly dangerous and is expected to become mass exploited. The arbitrary file upload vulnerability could allow malicious actors to upload any type of file to the affected website, including backdoors which can then be executed to gain further access to the website (Patchstack).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available. Website owners are advised to mitigate or resolve the vulnerability immediately (Patchstack).