CVE-2024-6885

moderate-risk
Published 2024-07-23

The MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maxi_remove_custom_image_size and maxi_add_custom_image_size functions in all versions up to, and including, 1.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Do I need to act?

~
7.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / LOW complexity

References (8)

https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/core/class-max...
https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/core/class-max...
https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/plugin.php#L22...
https://www.wordfence.com/threat-intel/vulnerabilities/id/249b08c5-7429-4690-9f0...
https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/core/class-max...
https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/core/class-max...
https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/plugin.php#L22...
https://www.wordfence.com/threat-intel/vulnerabilities/id/249b08c5-7429-4690-9f0...
43
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 10/34 · Low
Exposure 5/34 · Minimal