Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2024-8856
PUBLISHEDBackup and Staging by WP Time Capsule <= 1.22.21 - Unauthenticated Arbitrary File Upload
- Vendor
- revmakx
- Product
- Backup and Staging by WP Time Capsule
- Published
- Nov 16, 2024
- EPSS
- —
Description
The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation status
Proof of concept available
Recorded 2024-11-21 04:01:27 UTC · Source
SSVC decision points
- Exploitation
- none
- Automatable
- Yes
- Technical impact
- total
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fdc2de78-5601-461f-b2f0-c80b592ccb1b?source=cve
- https://plugins.trac.wordpress.org/browser/wp-time-capsule/trunk/wp-tcapsule-bridge/upload/php/UploadHandler.php
- https://plugins.trac.wordpress.org/changeset/3188325/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3153289%40wp-time-capsule&new=3153289%40wp-time-capsule&sfp_email=&sfph_mail=
- https://hacked.be/posts/CVE-2024-8856
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| The Shadowserver (via CIRCL) | Jun 26, 2025 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_time_capsule_file_upload_rce.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8856.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-11-21 04:01:27 UTC · 2 stars
This tool scans WordPress websites for vulnerabilities in the WP Time Capsule plugin related to CVE-2024-8856. It identifies plugin versions below 1.22.22 as vulnerable and logs results to vuln.txt. Simple and efficient, it helps security researchers and admins detect and address risks quickly.
github · Created 2024-11-16 20:04:11 UTC · 2 stars
WordPress WP Time Capsule Plugin Arbitrary File Upload Vulnerability
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Proof of Concept Exploit Available
-
Detected by Nuclei
-
Detected by Metasploit
-
Added to KEVIntel