CVE-2024-8699: 
WordPress vulnerability analysis and mitigation

The Z-Downloads WordPress plugin before version 1.11.5 contains a security vulnerability (CVE-2024-8699) that affects file upload validation. The vulnerability was discovered in 2024 and impacts high-privilege users such as administrators, allowing them to upload arbitrary files on the server even when such actions should be restricted, particularly in multisite setups (WPScan).

The vulnerability stems from improper validation of uploaded files in the Z-Downloads plugin. High-privilege users can exploit this vulnerability through the plugin's file upload functionality, specifically using the "Replace file" feature. The issue allows for the upload of potentially malicious files, including PHP webshells, bypassing intended restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (WPScan, NVD).

The vulnerability can lead to unauthorized file uploads on the server, potentially allowing the execution of malicious code. This is particularly concerning in multisite WordPress setups where even admin-level file upload capabilities should be restricted. The ability to upload arbitrary files could result in server compromise or unauthorized code execution (WPScan).

The vulnerability has been patched in version 1.11.5 of the Z-Downloads plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).