CVE-2024-8699

HIGH

Z-Downloads WP <1.11.5 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-8699. PoCs published by certuscyber.

AI-analyzed exploit summary The repository contains functional exploit code for multiple WordPress plugin vulnerabilities, including SQL injection (CVE-2014-5182, CVE-2014-5185) and insecure deserialization (CVE-2020-29045). The PoCs include authentication, payload delivery, and data exfiltration logic.

Description

The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Exploits (1)

github WORKING POC 3 stars
by certuscyber · pythonpoc
https://github.com/certuscyber/cve-pocs/tree/main/CVE-2024-8699

The repository contains functional exploit code for multiple WordPress plugin vulnerabilities, including SQL injection (CVE-2014-5182, CVE-2014-5185) and insecure deserialization (CVE-2020-29045). The PoCs include authentication, payload delivery, and data exfiltration logic.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress YAWPP plugin <= 1.2, WordPress Quartz plugin <= 1.01.1
Auth required
Prerequisites: WordPress admin/contributor credentials · Target plugin installed and activated
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/9013351e-224f-4696-970f-eb843dc8dace/

Scores

CVSS v3 7.2
EPSS 0.0057
EPSS Percentile 42.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

Status published
Products (1)
urbanbase/z-downloads < 1.11.5
Published May 15, 2025
Tracked Since Feb 18, 2026