Back to KEVs

CVE-2020-24186

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to...

Basic Information

CVE State: PUBLISHED
Reserved Date: August 13, 2020
Published Date: August 24, 2020
Last Updated: August 04, 2024
Vendor: gVectors
Product: wpDiscuz
Description: A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
Tags

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score: 93.86% (Percentile: 99.86%) as of 2025-05-12

Exploit Status

Proof of Concept Available: Yes (added 2023-12-21 23:23:43 UTC) Source

References

https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/ http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html http://packetstormsecurity.com/files/163012/WordPress-wpDiscuz-7.0.4-Remote-Code-Execution.html http://packetstormsecurity.com/files/163302/WordPress-wpDiscuz-7.0.4-Shell-Upload.html

Known Exploited Vulnerability Information

Source	Added Date
Wordfence	2020-07-28 14:15:03 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload.rb	2025-04-28 15:02:35 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-24186.yaml	2025-04-25 00:00:00 UTC