CVE-2024-6651

MEDIUM NUCLEI

WordPress File Upload <4.24.8 - XSS

Title source: llm

Description

The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Exploits (1)

nomisec WORKING POC 1 stars

by yup-Ivan · poc

https://github.com/yup-Ivan/CVE-2024-6651

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress File Upload Plugin < 4.24.8 - Cross-Site Scripting

HIGHby ritikchaddha

FOFA: body='wp-content/plugins/wp-file-upload/'

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/65e2c77d-09bd-4a44-81d9-d7a5db0e0f84/

Scores

CVSS v3 6.1

EPSS 0.1197

EPSS Percentile 93.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

iptanus/wordpress_file_upload < 4.24.8

Published Aug 06, 2024

Tracked Since Feb 18, 2026