CVE-2024-8856

CRITICAL EXPLOITED NUCLEI LAB

WordPress WP Time Capsule Arbitrary File Upload to RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2024-8856 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including Al Baradi Joy, ubaydev, Jenderal92, including a Metasploit module exploits/multi/http/wp_time_capsule_file_upload_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in the WordPress Backup and Staging plugin (≤ 1.21.16), allowing unauthenticated attackers to upload a PHP shell via the upload.php endpoint, leading to remote code execution.

Description

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (5)

exploitdb WORKING POC
by Al Baradi Joy · pythonwebappsphp
https://www.exploit-db.com/exploits/52131

This exploit demonstrates an arbitrary file upload vulnerability in the WordPress Backup and Staging plugin (≤ 1.21.16), allowing unauthenticated attackers to upload a PHP shell via the upload.php endpoint, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Backup and Staging by WP Time Capsule ≤ 1.21.16
No auth needed
Prerequisites: Target must have the vulnerable plugin installed and accessible · The upload.php endpoint must be reachable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by ubaydev · remote
https://github.com/ubaydev/CVE-2024-8856

The PoC demonstrates an arbitrary file upload vulnerability in the WP Time Capsule WordPress plugin, allowing unauthenticated attackers to upload and potentially execute malicious PHP files. The exploit leverages insufficient file validation in the plugin's upload endpoint.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WP Time Capsule plugin for WordPress (versions prior to 1.22.21)
No auth needed
Prerequisites: Access to the vulnerable WordPress site · WP Time Capsule plugin installed and active
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by Jenderal92 · poc
https://github.com/Jenderal92/CVE-2024-8856

This repository contains a Python-based scanner for detecting vulnerable versions of the WordPress WP Time Capsule plugin (CVE-2024-8856). It checks for versions below 1.22.22 by fetching the readme.txt file and uses multithreading for efficiency.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin WP Time Capsule < 1.22.22
No auth needed
Prerequisites: List of target URLs in a text file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Evillm · poc
https://github.com/Evillm/CVE-2024-8856-PoC

This repository contains a functional PoC for CVE-2024-8856, demonstrating unauthenticated RCE via file upload in the WP Time Capsule WordPress plugin. The scanner and RCE scripts confirm vulnerability by uploading PHP payloads and executing system commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WP Time Capsule WordPress plugin
No auth needed
Prerequisites: Target running vulnerable WP Time Capsule plugin · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Valentin Lobstein, Rein Daelman · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_time_capsule_file_upload_rce.rb

This Metasploit module exploits an arbitrary file upload vulnerability in the WordPress WP Time Capsule plugin (versions <= 1.22.21) by bypassing extension validation to upload a malicious PHP file, achieving remote code execution (RCE).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress WP Time Capsule plugin <= 1.22.21
No auth needed
Prerequisites: Access to the target WordPress site · WP Time Capsule plugin version <= 1.22.21 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WP Time Capsule Plugin - Remote Code Execution
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch
FOFA: body="/wp-content/plugins/wp-time-capsule/"

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.9371
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull mariadb:10.5
+1 more repos

Details

VulnCheck KEV 2025-03-19
CWE
CWE-434
Status published
Products (2)
revmakx/Backup and Staging by WP Time Capsule < 1.22.21
revmakx/backup_and_staging_by_wp_time_capsule < 1.22.22
Published Nov 16, 2024
Tracked Since Feb 18, 2026