CVE-2024-9290: 
WordPress vulnerability analysis and mitigation

The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads in versions up to and including 2.3.3. The vulnerability was discovered and disclosed on December 13, 2024, and is tracked as CVE-2024-9290. The issue affects the ibk_restore_migrate_check() function due to missing file type validation and capability checks (NVD).

The vulnerability stems from two key security issues in the ibk_restore_migrate_check() function: missing file type validation and a missing capability check. This combination allows unauthenticated attackers to upload arbitrary files to the affected site's server. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, which could potentially lead to remote code execution. This presents a critical security risk as attackers require no authentication or user interaction to exploit the vulnerability (NVD).

The vulnerability has been addressed in versions after 2.3.3. Users are strongly advised to update their Super Backup & Clone - Migrate for WordPress plugin to the latest version. The latest version (2.4) was released on December 10, 2024, with improved security and vulnerability fixes (CodeCanyon).

The vulnerability has been acknowledged by security firms and has been included in threat intelligence updates. Trend Micro has included this vulnerability in their January 21, 2025 security update, indicating its significance in the security community (Trend Micro).