CVE-2024-51793: 
WordPress vulnerability analysis and mitigation

An Unrestricted Upload of File with Dangerous Type vulnerability was discovered in Webful Creations Computer Repair Shop WordPress plugin, affecting versions up to 3.8115. The vulnerability allows attackers to upload a web shell to a web server, posing a significant security risk. The issue was disclosed on November 11, 2024, and received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD and 10.0 (CRITICAL) from Patchstack (NVD, Patchstack).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). It received two different CVSS v3.1 scores: NVD assigned a score of 9.8 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned a score of 10.0 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The vulnerability requires no authentication to exploit and has low attack complexity (NVD).

The vulnerability allows malicious actors to upload arbitrary files, including web shells, to the affected web server. This could lead to complete system compromise, allowing attackers to gain unauthorized access and potentially execute arbitrary code on the server. The high CVSS scores indicate the potential for complete compromise of system confidentiality, integrity, and availability (Patchstack).

Users are strongly advised to update to version 3.8116 or later of the Computer Repair Shop plugin to resolve this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to a fixed version (Patchstack).