The Pexels: Free Stock Photos plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'pexels_fsp_images_options_validate' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References
Configurations
No configuration.
History
08 Apr 2026, 18:22
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-434 |
21 Nov 2024, 09:49
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://plugins.trac.wordpress.org/browser/wp-pexels-free-stock-photos/trunk/settings.php#L239 - | |
| References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/79dd492e-d4da-4209-83a8-d8059263ae92?source=cve - |
20 Jun 2024, 12:44
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
19 Jun 2024, 06:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-06-19 06:15
Updated : 2026-06-17 08:17
NVD link : CVE-2024-6132
Mitre link : CVE-2024-6132
CVE.ORG link : CVE-2024-6132
JSON object : View
Products Affected
No product.
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type
