External Control of File Name or Path

CVE-2024-10672

Low

2.7/10

Summary

The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-73 - External Control of File Name or Path

The software allows user input to control or influence paths or file names that are used in filesystem operations.

References

Advisory Timeline

Published Nov 12, 2024

External Control of File Name or Path

CVE-2024-10672

Summary

CWE-73 - External Control of File Name or Path

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS