CVE-2024-10124

CRITICAL

Vayu Blocks - Unauthorized Plugin Installation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-10124. PoCs published by Nxploited, Boshe99, RandomRobbieBF.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-10124, which allows unauthenticated arbitrary plugin installation and activation in the Vayu Blocks WordPress plugin due to a missing capability check. The PoC includes both version checking and plugin installation functionality.

Description

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1.

Exploits (3)

nomisec WORKING POC 1 stars
by Nxploited · poc
https://github.com/Nxploited/CVE-2024-10124-Poc

This repository contains a functional exploit for CVE-2024-10124, which allows unauthenticated arbitrary plugin installation and activation in the Vayu Blocks WordPress plugin due to a missing capability check. The PoC includes both version checking and plugin installation functionality.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce (versions up to and including 1.1.1)
No auth needed
Prerequisites: Target WordPress site with vulnerable Vayu Blocks plugin installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-10124-Poc

The repository contains functional exploit code for CVE-2024-10124, targeting a WordPress plugin vulnerability. The Python script demonstrates arbitrary file upload capabilities, confirming the vulnerability's exploitability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4
No auth needed
Prerequisites: target URL · file path for upload
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2024-10124

The repository contains a functional proof-of-concept exploit for CVE-2024-10124, demonstrating an unauthenticated arbitrary plugin installation/activation vulnerability in the Vayu Blocks WordPress plugin. The PoC includes a crafted HTTP POST request to the vulnerable endpoint, which can lead to remote code execution if a vulnerable plugin is installed.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce <= 1.1.1
No auth needed
Prerequisites: WordPress site with Vayu Blocks plugin <= 1.1.1 installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.3122
EPSS Percentile 98.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-284
Status published
Products (2)
themehunk/Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce < 1.1.1
themehunk/Vayu Blocks – Website Builder for the Block Editor < 1.1.1
Published Dec 12, 2024
Tracked Since Feb 18, 2026