CVE-2024-50480: 
WordPress vulnerability analysis and mitigation

The Marketing Automation by AZEXO WordPress plugin version 1.27.80 and earlier contains an Unrestricted Upload of File with Dangerous Type vulnerability that allows attackers to upload a web shell to a web server. The vulnerability was discovered and reported by researcher stealthcopter on October 19, 2024, and was publicly disclosed on October 25, 2024 (Patchstack).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has been assigned CVE-2024-50480. It received a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability requires Subscriber-level privileges to exploit (Patchstack).

This vulnerability allows malicious actors to upload arbitrary files, including backdoors, to the affected website. Once a backdoor is uploaded, it can be executed to gain further access to the website. The critical CVSS score of 9.9 indicates that this vulnerability is highly dangerous and is expected to become mass exploited (Patchstack).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement the virtual patch immediately or consider removing the plugin until a security update is released (Patchstack).