← Back

CVE-2024-13418

nvd nist
Published: May 2, 2025Modified: May 6, 2025

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: security@wordfence.com (Secondary)

Description

Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files that can make remote code execution possible. This issue was escalated to Envato over two months from the date of this disclosure and the issue, while partially patched, is still vulnerable.

Affected (4)

Products: G5plus: April, Auteur, Benaa, Beyot
G5plus
4 products
April
Auteur
Benaa
Beyot
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
April
Up to 5.1
Auteur
Up to 7.1
Benaa
Up to 4.0.0
Beyot
Up to 6.0.6

Related CWEs

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

Source: security@wordfence.com
Product
Source: security@wordfence.com
Third Party Advisory

Timeline

No history available yet.