WordPress The Novel Design Store Directory plugin <= 4.3.0 - Arbitrary File Upload vulnerability

The primary impact of CVE-2024-51788 is the ability for an attacker to upload a web shell to the server. A web shell is a malicious script that allows an attacker to execute arbitrary commands on the server as if they were a legitimate administrator. This can lead to complete server compromise, including data exfiltration, modification, or deletion. The attacker could also use the compromised server as a launchpad for further attacks against other systems on the network, achieving lateral movement. The blast radius extends beyond the affected directory, potentially impacting any data or services hosted on the same server. The unrestricted file upload nature of this vulnerability makes it particularly dangerous, as it bypasses typical security controls designed to prevent malicious file uploads.

1. 已保留2024-11-04
2. 发布日期2024-11-11
3. 修改日期2024-11-12
4. EPSS 更新日期2026-04-02

The primary mitigation for CVE-2024-51788 is to immediately upgrade to version 4.3.1 of The Novel Design Store Directory. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file upload types to only explicitly allowed extensions, implementing stricter file size limits, and enabling server-side validation of uploaded files. Web Application Firewalls (WAFs) can be configured with rules to block suspicious file uploads and detect web shell activity. Monitor server logs for unusual file activity or command execution attempts. After upgrading, confirm the vulnerability is resolved by attempting to upload a test file with a known dangerous extension (e.g., .php) and verifying that the upload is rejected.