CVE-2024-6220

CRITICAL EXPLOITED NUCLEI

Keydatas < 2.5.2 - Unauthenticated Arbitrary File Upload via keydatas_downloadImages Function

Title source: llm

Exploitation Summary

CVE-2024-6220 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The 简数采集器 (Keydatas) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the keydatas_downloadImages function in all versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Nuclei Templates (1)

WordPress Keydatas ≤ 2.5.2 - Arbitrary File Upload

CRITICALVERIFIEDby hnd3884

References (3)

Core 3

Core References

https://plugins.trac.wordpress.org/changeset/3127334/keydatas?contextall=1

Patch

https://plugins.trac.wordpress.org/browser/keydatas/trunk/keydatas.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/49ae7971-7bdf-4369-b04b-fb48ea5b9518?source=cve

Scores

CVSS v3 9.8

EPSS 0.3571

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2024-07-17

CWE

CWE-434

Status published

Products (2)

keydatas/keydatas < 2.5.2

zhengdon/简数采集器 < 2.5.2

Published Jul 17, 2024

Tracked Since Feb 18, 2026