CVE-2024-11082

moderate-risk

Published 2024-11-28

The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the hypeanimations_panel() function in all versions up to, and including, 1.9.15. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Do I need to act?

~

9.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

+

Fix available

Upgrade to: 1702d3d4fd0fae9cb9fc40cdfc3dfb8584d5f04c

9

CVSS 9.9/10 Critical

NETWORK / LOW complexity

References (5)

https://github.com/tumult/hype-wordpress-plugin/commit/1702d3d4fd0fae9cb9fc40cdf...

https://plugins.trac.wordpress.org/browser/tumult-hype-animations/trunk/includes...

https://plugins.trac.wordpress.org/changeset/3197761/

https://wordpress.org/plugins/tumult-hype-animations/#developers

https://www.wordfence.com/threat-intel/vulnerabilities/id/be3a0b4b-cce5-4d78-99d...

49

/ 100

moderate-risk

Severity 33/34 · Critical

Exploitability 11/34 · Low

Exposure 5/34 · Minimal