CVE-2024-7384: 
WordPress vulnerability analysis and mitigation

The AcyMailing WordPress plugin (versions up to 9.7.2) contains a vulnerability identified as CVE-2024-7384. This security flaw involves arbitrary file uploads due to missing file type validation in the acym_extractArchive function. The vulnerability affects the AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin (NVD).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v3.1 base score of 8.8 (HIGH) from NVD and 7.5 (HIGH) from Wordfence. The security issue stems from inadequate file type validation in the acym_extractArchive function, which could allow authenticated users with Subscriber-level access or higher to upload arbitrary files to the affected site's server (NVD).

The vulnerability could potentially enable remote code execution on the affected site's server through arbitrary file uploads. This poses a significant security risk as authenticated attackers with even minimal privileges (Subscriber-level access) could exploit this vulnerability to compromise the website (NVD).

The vulnerability has been patched in version 9.8.0 of the AcyMailing plugin. Website administrators are strongly advised to update their installations to this version or later to protect against potential exploitation (AcyMailing Changelog).