CVE-2024-52408: 
WordPress vulnerability analysis and mitigation

An Unrestricted Upload of File with Dangerous Type vulnerability was discovered in Team PushAssist Push Notifications for WordPress plugin, tracked as CVE-2024-52408. The vulnerability affects versions through 3.0.8 of the Push Notifications for WordPress by PushAssist plugin. The issue was initially reported on October 12, 2024, and was publicly disclosed on November 13, 2024 (Patchstack).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability requires Subscriber-level privileges or higher to exploit (Patchstack).

The vulnerability allows attackers to upload arbitrary files, including web shells, to the affected web server. This could potentially lead to complete website compromise as it enables the upload of backdoors which can be executed to gain further access to the website (Patchstack).

Currently, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available. Website owners are advised to implement immediate mitigation measures (Patchstack).