CVE-2024-2381

The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ali2woo:aliexpress_dropshipping_with_alinext:*:*:*:*:lite:wordpress:*:*

History

21 Nov 2024, 09:09

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk//includes/classes/controller/WooCommerceProductEditController.php#L108 - Product () https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk//includes/classes/controller/WooCommerceProductEditController.php#L108 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c3248327-6e10-420e-83cf-a23296eb2e6f?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/c3248327-6e10-420e-83cf-a23296eb2e6f?source=cve - Third Party Advisory

20 Sep 2024, 00:18

Type Values Removed Values Added
CPE cpe:2.3:a:ali2woo:aliexpress_dropshipping_with_alinext:*:*:*:*:lite:wordpress:*:*
First Time Ali2woo aliexpress Dropshipping With Alinext
Ali2woo
CWE CWE-434
References () https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk//includes/classes/controller/WooCommerceProductEditController.php#L108 - () https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk//includes/classes/controller/WooCommerceProductEditController.php#L108 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c3248327-6e10-420e-83cf-a23296eb2e6f?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/c3248327-6e10-420e-83cf-a23296eb2e6f?source=cve - Third Party Advisory

20 Jun 2024, 12:44

Type Values Removed Values Added
Summary
  • (es) El complemento AliExpress Dropshipping con AliNext Lite para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validación del tipo de archivo en la función ajax_save_image en todas las versiones hasta la 3.3.5 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecución remota de código.

19 Jun 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-19 04:15

Updated : 2024-11-21 09:09


NVD link : CVE-2024-2381

Mitre link : CVE-2024-2381

CVE.ORG link : CVE-2024-2381


JSON object : View

Products Affected

ali2woo

  • aliexpress_dropshipping_with_alinext
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type