CVE-2024-7863: 
WordPress vulnerability analysis and mitigation

The Favicon Generator WordPress plugin before version 2.1 contains a critical security vulnerability identified as CVE-2024-7863. The vulnerability was discovered and reported by WPScan, with the initial disclosure made on September 13, 2024. This security issue affects the file upload functionality in the plugin and lacks proper CSRF protection (WPScan, NVD).

The vulnerability stems from two main security issues: the absence of proper file validation during upload operations and missing Cross-Site Request Forgery (CSRF) protection mechanisms. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 6.8 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H. Additionally, CISA-ADP has assigned a higher severity score of 8.1 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (NVD).

The vulnerability allows attackers to potentially upload arbitrary files, including malicious PHP files, to the server through a logged-in administrator's account. This could lead to remote code execution on the affected WordPress installation, potentially compromising the entire website (WPScan).

Website administrators using the Favicon Generator plugin should immediately update to version 2.1 or later, which contains fixes for these security issues. If immediate updating is not possible, it is recommended to temporarily disable the plugin until the update can be applied (NVD).