CVE-2024-43998

MEDIUM

WebsiteinWP Blogpoet <= 1.0.3 - Missing Authorization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-43998. PoCs published by RandomRobbieBF, Boshe99, Nxploited.

AI-analyzed exploit summary The repository contains a functional proof-of-concept exploit for CVE-2024-43998, demonstrating unauthorized plugin installation and activation in the Blogpoet WordPress theme due to a missing capability check in the `blogpoet_install_and_activate_plugins()` function. The PoC includes a crafted HTTP POST request to `/wp-admin/admin-ajax.php` that triggers the vulnerability.

Description

Missing Authorization vulnerability in WebsiteinWP Blogpoet allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blogpoet: from n/a through 1.0.3.

Exploits (3)

nomisec WORKING POC 1 stars
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2024-43998

The repository contains a functional proof-of-concept exploit for CVE-2024-43998, demonstrating unauthorized plugin installation and activation in the Blogpoet WordPress theme due to a missing capability check in the `blogpoet_install_and_activate_plugins()` function. The PoC includes a crafted HTTP POST request to `/wp-admin/admin-ajax.php` that triggers the vulnerability.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Blogpoet WordPress theme <= 1.0.2
No auth needed
Prerequisites: Access to the WordPress admin-ajax.php endpoint
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-43998

The repository contains functional exploit code for CVE-2024-43998, targeting an arbitrary file upload vulnerability in the WordPress Plugin 3DPrint Lite 1.9.1.4. The exploit demonstrates the ability to upload a malicious file to a vulnerable target.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4
No auth needed
Prerequisites: Target URL · Path to the file to be uploaded
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by Nxploited · poc
https://github.com/Nxploited/CVE-2024-43998

The repository contains a functional exploit for CVE-2024-43998, a missing authorization vulnerability in the Blogpoet WordPress theme. The exploit checks the theme version and sends a crafted POST request to install and activate arbitrary plugins via an unauthenticated admin-ajax.php endpoint.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Blogpoet WordPress theme <= 1.0.3
No auth needed
Prerequisites: Target must have the Blogpoet theme installed and vulnerable version (<= 1.0.3) · WordPress site must be accessible
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 6.5
EPSS 0.0143
EPSS Percentile 69.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
WebsiteinWP/Blogpoet < 1.0.3
websiteinwp/blogpoet < 1.0.4
Published Nov 01, 2024
Tracked Since Feb 18, 2026