CVE-2024-49676: 
WordPress vulnerability analysis and mitigation

The Custom Icons for Elementor WordPress plugin contains an Unrestricted Upload of File with Dangerous Type vulnerability (CVE-2024-49676) affecting versions up to and including 0.3.3. The vulnerability was discovered by researcher tahu.datar and publicly disclosed on October 21, 2024. This security issue allows authenticated users with Administrator-level access to upload arbitrary files to the affected site's server (WPScan, Patchstack).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v3.1 base score of 6.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L. The security issue stems from missing file type validation in the plugin's upload functionality (NVD, Patchstack).

The vulnerability could allow attackers to upload arbitrary files to the affected website's server, potentially leading to remote code execution. This could result in unauthorized access to the server and compromise of the website's security (Patchstack).

The vulnerability has been fixed in version 0.3.4 of the Custom Icons for Elementor plugin. Website administrators are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).