CVE-2024-50473: 
WordPress vulnerability analysis and mitigation

An Unrestricted Upload of File with Dangerous Type vulnerability was discovered in Ajar Productions' Ajar in5 Embed WordPress plugin, affecting versions up to 3.1.3. The vulnerability was identified on October 25, 2024, by researcher CTRL and was assigned CVE-2024-50473. This security flaw allows attackers to upload a web shell to a web server ([Patchstack](https://patchstack.com/database/vulnerability/ajar-productions-in5-embed/wordpress-ajar-in5-embed-plugin-3-1-3-arbitrary-file-upload-vulnerability?s_id=cve)).

The vulnerability has been classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and received a Critical CVSS v3.1 base score of 10.0. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (Patchstack).

This vulnerability is considered highly dangerous and is expected to become mass exploited. It allows malicious actors to upload any type of file to the affected website, including backdoors which can then be executed to gain further access to the website (Patchstack).

The vulnerability has been patched in version 3.1.4 of the Ajar in5 Embed plugin. Users are strongly advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until the update can be performed (Patchstack).