Back to KEVs

CVE-2024-10586

Debug Tool <= 2.2 - Unauthenticated Arbitrary File Creation

Basic Information

CVE State
PUBLISHED
Reserved Date
October 31, 2024
Published Date
November 09, 2024
Last Updated
November 12, 2024
Vendor
eugenbobrowski
Product
Debug Tool
Description
The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary files such as .php files that can be leveraged for remote code execution.
Tags
wordpress php

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score
22.15% (Percentile: 95.53%) as of 2025-07-28

SSVC Information

Exploitation
none
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-07-24 00:00:00 UTC) Source

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/5e9d5c93-dcd7-450e-8c52-5c95fc5473d2?source=cve https://plugins.trac.wordpress.org/browser/debug-tool/trunk/tools/image-puller.php#L120

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-07-25 12:00:27 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel