CVE-2024-9422: 
WordPress vulnerability analysis and mitigation

The GEO my WP WordPress plugin before version 4.5 and its gmw-premium-settings WordPress plugin before version 3.1 contain a file upload vulnerability. This security issue was discovered and publicly disclosed on October 31, 2024, by security researcher Michael Dyrna (WPScan).

The vulnerability stems from insufficient validation of uploaded files in both the main plugin and its Premium Settings extension. The issue allows authenticated users with administrative privileges to upload arbitrary files, including PHP files, to the server. The vulnerability has been assigned a CVSS v3.1 base score of 6.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow attackers to upload malicious PHP files to the server, potentially leading to remote code execution. The uploaded files can be accessed without requiring authentication, increasing the severity of the potential impact (WPScan).

The vulnerability has been patched in GEO my WP version 4.5 and gmw-premium-settings version 3.1. Users are strongly advised to update both plugins to their latest versions to mitigate this security risk (WPScan).