CVE-2024-50523: 
WordPress vulnerability analysis and mitigation

CVE-2024-50523 is an Unrestricted Upload of File with Dangerous Type vulnerability affecting the RainbowLink Inc. All Post Contact Form WordPress plugin. The vulnerability was discovered by researcher stealthcopter and was publicly disclosed on October 30, 2024. This security issue affects All Post Contact Form versions up to and including 1.7.9, with no official fix currently available (Patchstack, NVD).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received critical severity ratings. The CVSS v3.1 base score ranges from 9.8 to 10.0, with two different assessments: NIST rates it at 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) while Patchstack assigns a score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The vulnerability requires no authentication to exploit (NVD, Patchstack).

The vulnerability allows malicious actors to upload arbitrary files, including web shells, to the affected web server. This capability could enable attackers to gain further access to the website and potentially execute malicious code. The high CVSS scores indicate that this vulnerability poses a critical risk to affected systems (Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement the virtual patch immediately until an official fix becomes available. Additionally, it is recommended to reach out to hosting providers for server-side malware scanning if compromise is suspected (Patchstack).