Login Sign Up

CVE-2024-6366

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

The User Profile Builder WordPress plugin before version 3.11.8 has an authorization vulnerability that allows unauthenticated users to upload media files via the async upload functionality. This affects all WordPress sites running vulnerable versions of the plugin, potentially enabling attackers to upload malicious files without authentication.

💻 Affected Systems

Products:
  • User Profile Builder WordPress plugin
Versions: All versions before 3.11.8
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with vulnerable plugin versions, regardless of configuration.

📦 What is this software?

Profile Builder by Cozmoslabs

View all CVEs affecting Profile Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers upload webshells or malware, gain remote code execution, and completely compromise the WordPress site and underlying server.

🟠

Likely Case

Attackers upload malicious files (PHP shells, malware) to gain unauthorized access, deface websites, or establish persistence for further attacks.

🟢

If Mitigated

With proper file type restrictions and server-side validation, impact is limited to unauthorized file storage without execution capabilities.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP POST requests can exploit this vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.11.8

Vendor Advisory: https://wpscan.com/vulnerability/5b90cbdd-52cc-4e7b-bf39-bea0dd59e19e/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find User Profile Builder plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.11.8+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable plugin

all

Temporarily disable the User Profile Builder plugin until patched

wp plugin deactivate user-profile-builder

Restrict upload directory

linux

Set proper permissions on wp-content/uploads directory

chmod 755 wp-content/uploads
chown www-data:www-data wp-content/uploads

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block unauthorized upload requests
  • Disable the async upload functionality via .htaccess or server configuration

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins

Check Version:

wp plugin get user-profile-builder --field=version

Verify Fix Applied:

Confirm plugin version is 3.11.8 or higher after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-admin/admin-ajax.php with upload parameters
  • File uploads from unauthenticated IP addresses

Network Indicators:

  • HTTP POST requests to async upload endpoints without authentication headers

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND action="upload" AND user="-"

📊 Metadata

CVE ID: CVE-2024-6366
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-434
Published: July 29, 2024
Last Updated: May 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6366, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)