The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the MJ_gmgt_user_avatar_image_upload() function in all versions up to, and including, 67.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Metrics
Affected Vendors & Products
References
History
Tue, 26 Nov 2024 20:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Mojoomla
Mojoomla wordpress Gym Management System |
|
CPEs | cpe:2.3:a:mojoomla:wordpress_gym_management_system:*:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Mojoomla
Mojoomla wordpress Gym Management System |
Sun, 24 Nov 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Dasinfomedia
Dasinfomedia wpgym Gym Management System |
|
CPEs | cpe:2.3:a:dasinfomedia:wpgym_gym_management_system:-:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Dasinfomedia
Dasinfomedia wpgym Gym Management System |
|
Metrics |
ssvc
|
Sat, 23 Nov 2024 07:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the MJ_gmgt_user_avatar_image_upload() function in all versions up to, and including, 67.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |
Title | WPGYM <= 67.1.0 - Unauthenticated Arbitrary File Upload | |
Weaknesses | CWE-434 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-11-23T07:38:06.409Z
Updated: 2024-11-24T18:32:32.882Z
Reserved: 2024-10-14T16:22:57.026Z
Link: CVE-2024-9942
Vulnrichment
Updated: 2024-11-24T18:30:57.852Z
NVD
Status : Analyzed
Published: 2024-11-23T08:15:04.390
Modified: 2024-11-26T19:33:35.843
Link: CVE-2024-9942
Redhat
No data.