CVE-2024-8425Wpswings · Woocommerce_ultimate_gift_card
Vulnerability data via NVD (ingested)
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that this may have been patched on an older version than 2.9.2, however, we do not have access to older versions of the software to confirm when the patch was added. The only patched version we have confirmed is 2.9.3.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2024-8425http.html:"/wp-content/plugins/woocommerce-ultimate-gift-card/"product:"Wpswings Woocommerce Ultimate Gift Card"http.html:"Woocommerce Ultimate Gift Card"More intel sources (5)
vuln:CVE-2024-8425vulnerabilities.cve_id: CVE-2024-8425CVE-2024-8425CVE-2024-8425"CVE-2024-8425" exploit -site:nvd.nist.gov