Platform
wordpress
Component
smsa-shipping-official
Fixed in
2.3.1
2.4
CVE-2024-49249 describes an arbitrary file deletion vulnerability affecting the SMSA Shipping (official) WordPress plugin. This flaw allows authenticated attackers, even those with Subscriber-level access, to delete files on the server, potentially leading to remote code execution. The vulnerability impacts versions of the plugin up to and including 2.3, with a fix available in version 2.4.
The primary impact of CVE-2024-49249 is the ability for an authenticated attacker to delete arbitrary files on the server. While the vulnerability requires authentication, the low privilege level (Subscriber) needed to exploit it significantly broadens the attack surface. Deletion of critical files, such as wp-config.php, could lead to complete compromise of the WordPress installation, enabling remote code execution. This could allow attackers to inject malicious code, steal sensitive data, or deface the website. The potential for lateral movement within the network depends on the server's configuration and access controls.
CVE-2024-49249 was published on 2026-01-06. Currently, there are no known active campaigns targeting this vulnerability. Public proof-of-concept exploits are not widely available, but the ease of exploitation given the low privilege requirement suggests it could become a target. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-49249 is to immediately upgrade the SMSA Shipping plugin to version 2.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file access permissions on the server to limit the impact of a successful attack. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion attempts. Monitor WordPress logs for unusual file deletion activity, particularly targeting core WordPress files.
Update to version 2.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-49249 is a vulnerability in the SMSA Shipping WordPress plugin allowing authenticated users to delete files, potentially leading to remote code execution. It affects versions up to 2.3 and has a CVSS score of 8.1 (HIGH).
You are affected if you are using the SMSA Shipping plugin version 2.3 or earlier. Check your plugin version and upgrade immediately.
Upgrade the SMSA Shipping plugin to version 2.4 or later. If upgrading is not possible, restrict file access permissions and implement WAF rules.
Currently, there are no confirmed reports of active exploitation, but the ease of exploitation makes it a potential target.
Refer to the official SMSA Shipping plugin website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.