CVE-2024-10586

CRITICAL EXPLOITED

Debug Tool < 2.2 - Unauthenticated Arbitrary File Creation via dbt_pull_image()

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-10586 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including RandomRobbieBF, Boshe99, Nxploited.

AI-analyzed exploit summary The repository contains a functional proof-of-concept for CVE-2024-10586, demonstrating an unauthenticated arbitrary file creation vulnerability in the Debug Tool WordPress plugin. The exploit leverages a missing capability check and file type validation to create a malicious PHP file via a crafted POST request to admin-ajax.php.

Description

The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary files such as .php files that can be leveraged for remote code execution. CVE-2024-52416 may be a duplicate of this issue.

Exploits (3)

nomisec WORKING POC 1 stars
by RandomRobbieBF · remote
https://github.com/RandomRobbieBF/CVE-2024-10586

The repository contains a functional proof-of-concept for CVE-2024-10586, demonstrating an unauthenticated arbitrary file creation vulnerability in the Debug Tool WordPress plugin. The exploit leverages a missing capability check and file type validation to create a malicious PHP file via a crafted POST request to admin-ajax.php.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Debug Tool WordPress plugin <= 2.2
No auth needed
Prerequisites: WordPress site with Debug Tool plugin <= 2.2 installed · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-10586-Poc

The repository contains functional exploit code for CVE-2024-10586, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable target.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4
No auth needed
Prerequisites: target URL · malicious file to upload
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by Nxploited · remote
https://github.com/Nxploited/CVE-2024-10586-Poc

This repository contains a functional exploit for CVE-2024-10586, an arbitrary file creation vulnerability in the Debug Tool WordPress plugin (versions up to 2.2). The exploit sends a crafted POST request to `admin-ajax.php` to create a malicious PHP file, enabling remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Debug Tool WordPress plugin <= 2.2
No auth needed
Prerequisites: Python 3.x · requests library · target WordPress site with vulnerable plugin
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0209
EPSS Percentile 79.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-07-18
CWE
CWE-862
Status published
Products (1)
eugenbobrowski/Debug Tool < 2.2
Published Nov 09, 2024
Tracked Since Feb 18, 2026