CVE-2024-50526

CRITICAL

Multi Purpose Mail Form <= 1.0.2 - Unauthenticated Arbitrary File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-50526. PoCs published by JoshuaProvoste.

AI-analyzed exploit summary This is a functional exploit for CVE-2024-50526, an unauthenticated arbitrary file upload vulnerability in the Multi Purpose Mail Form WordPress plugin, leading to remote command execution (RCE). The script uploads a PHP payload, verifies its accessibility, detects the target OS, and provides an interactive shell.

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Lindeni Mahlalela Multi Purpose Mail Form multi-purpose-mail-form allows Upload a Web Shell to a Web Server.This issue affects Multi Purpose Mail Form: from n/a through <= 1.0.2.

Exploits (1)

nomisec WORKING POC 1 stars
by JoshuaProvoste · poc
https://github.com/JoshuaProvoste/0-click-RCE-Exploit-for-CVE-2024-50526

This is a functional exploit for CVE-2024-50526, an unauthenticated arbitrary file upload vulnerability in the Multi Purpose Mail Form WordPress plugin, leading to remote command execution (RCE). The script uploads a PHP payload, verifies its accessibility, detects the target OS, and provides an interactive shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Multi Purpose Mail Form WordPress plugin version 1.0.2
No auth needed
Prerequisites: Target must have the vulnerable plugin installed and accessible · Network access to the target WordPress site
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 10.0
EPSS 0.0061
EPSS Percentile 44.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (2)
lindeni/multi_purpose_mail_form < 1.0.2
Lindeni Mahlalela/Multi Purpose Mail Form < 1.0.2
Published Nov 04, 2024
Tracked Since Feb 18, 2026