CVE-2024-49610: 
WordPress vulnerability analysis and mitigation

The WordPress photokit plugin version 1.0 and earlier contains an Unrestricted Upload of File with Dangerous Type vulnerability that allows attackers to upload a Web Shell to a Web Server. The vulnerability was discovered and reported by researcher stealthcopter on October 13, 2024, and was assigned CVE-2024-49610 (Patchstack, NVD).

The vulnerability has been assigned a Critical severity rating with a CVSS v3.1 base score of 9.8 (NIST) and 10.0 (Patchstack). The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and requires no authentication to exploit. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) and no user interaction (UI:N) (NVD).

This vulnerability allows malicious actors to upload any type of file to the affected website, including backdoors which can then be executed to gain further access to the website. The potential impact includes complete compromise of system confidentiality, integrity, and availability (Patchstack).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available. Website administrators are advised to mitigate or resolve the vulnerability immediately (Patchstack).