A critical unauthenticated file upload flaw in the WordPress Background Image Cropper plugin (v1.2) lets remote attackers drop PHP files via the ups.php endpoint and execute arbitrary code on the host.
What Is It
CVE-2024-58348 is a remote code execution vulnerability in the WordPress Background Image Cropper plugin, version 1.2. The plugin exposes an ups.php endpoint that accepts file uploads without authentication. Because the upload form does not validate file types, an attacker can submit a PHP payload through the form in the plugin directory and have it written to a server-accessible path, where it can be requested and executed. The weakness is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
Why It Matters
The bug carries a CVSS 3.1 base score of 9.8 (Critical) and a CVSS 4.0 score of 9.3 (Critical), with an attack vector of network, low complexity, no privileges, and no user interaction required (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants full code execution under the web server's context; meaning total compromise of confidentiality, integrity, and availability of the WordPress site and potentially the underlying host. A public proof-of-concept is published on Exploit-DB (entry 51998), lowering the barrier to mass exploitation of exposed WordPress instances running the plugin.
What's Vulnerable
- Product: WordPress Background Image Cropper plugin
- Affected version: 1.2
- Vulnerable component:
ups.phpendpoint and the file upload form in the plugin directory - Attack precondition: Plugin installed and reachable over HTTP(S); no account or interaction needed
No CPE list is published in the NVD record, and no CISA KEV entry is present for this CVE at this time, so active in-the-wild exploitation is not confirmed by KEV.
Patch Status
The NVD record does not list a fixed version or vendor patch advisory. Until the plugin maintainer publishes a fixed release, operators should deactivate and remove the Background Image Cropper plugin from affected WordPress sites, block external access to ups.php at the web server or WAF layer, and audit the plugin's upload directory for unexpected PHP files indicating prior compromise.