CVE-2024-8856
Backup and Staging by WP Time Capsule <= 1.22.21 - Unauthenticated Arbitrary File Upload
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- September 13, 2024
- Published Date
- November 16, 2024
- Last Updated
- November 21, 2024
- Vendor
- revmakx
- Product
- Backup and Staging by WP Time Capsule
- Description
- The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Tags
- Score
- 91.95% (Percentile: 99.68%) as of 2025-07-26
- Exploitation
- none
- Automatable
- Yes
- Technical Impact
- total
- Exploited in the Wild
- Yes (2025-06-26 00:00:00 UTC) Source
CVSS Scores
CVSS v3.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
SSVC Information
Exploit Status
References
Known Exploited Vulnerability Information
Source | Added Date |
---|---|
The Shadowserver (via CIRCL) | 2025-06-27 12:01:33 UTC |
Scanner Integrations
Scanner | URL | Date Detected |
---|---|---|
Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_time_capsule_file_upload_rce.rb | 2025-04-29 11:01:25 UTC |
Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8856.yaml | 2025-04-26 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
wp_time_capsule_file_upload_rce
Type: metasploit • Created: Unknown
Jenderal92/CVE-2024-8856
Type: github • Created: 2024-11-21 04:01:27 UTC • Stars: 2
ubaydev/CVE-2024-8856
Type: github • Created: 2024-11-16 20:04:11 UTC • Stars: 2
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nuclei
-
Detected by Metasploit
-
Added to KEVIntel