CVE-2024-6132

The Pexels: Free Stock Photos plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'pexels_fsp_images_options_validate' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Configurations

No configuration.

History

08 Apr 2026, 18:22

Type Values Removed Values Added
CWE CWE-434

21 Nov 2024, 09:49

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/wp-pexels-free-stock-photos/trunk/settings.php#L239 - () https://plugins.trac.wordpress.org/browser/wp-pexels-free-stock-photos/trunk/settings.php#L239 -
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/79dd492e-d4da-4209-83a8-d8059263ae92?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/79dd492e-d4da-4209-83a8-d8059263ae92?source=cve -

20 Jun 2024, 12:44

Type Values Removed Values Added
Summary
  • (es) El complemento Pexels: Free Stock Photos para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validación del tipo de archivo en la función 'pexels_fsp_images_options_validate' en todas las versiones hasta la 1.2.2 incluida. Esto hace posible que atacantes autenticados, con permisos de nivel de colaborador y superiores, carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecución remota de código.

19 Jun 2024, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-19 06:15

Updated : 2026-06-17 08:17


NVD link : CVE-2024-6132

Mitre link : CVE-2024-6132

CVE.ORG link : CVE-2024-6132


JSON object : View

Products Affected

No product.

CWE
CWE-434

Unrestricted Upload of File with Dangerous Type