CVE-2024-9234
GutenKit <= 2.1.0 - Unauthenticated Arbitrary File Upload
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- September 26, 2024
- Published Date
- October 11, 2024
- Last Updated
- October 11, 2024
- Vendor
- ataurr
- Product
- GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor
- Description
- The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.
- Tags
- Exploitation
- none
- Automatable
- Yes
- Technical Impact
- total
- Exploited in the Wild
- Yes (2025-10-24 07:28:55 UTC) Source
nuclei_scanner
CVSS Scores
CVSS v3.1
9.8 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC Information
Exploit Status
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/e44c5dc0-6bf6-417a-9383-b345ff57ac32?source=cve
https://github.com/WordPressBugBounty/plugins-gutenkit-blocks-addon/blob/dc3738bb821cf1d93a11379b8695793fa5e1b9e6/gutenkit-blocks-addon/includes/Admin/Api/ActivePluginData.php#L76
https://plugins.trac.wordpress.org/browser/gutenkit-blocks-addon/tags/2.1.0/includes/Admin/Api/ActivePluginData.php?rev=3159783#L76
https://plugins.trac.wordpress.org/browser/gutenkit-blocks-addon/tags/2.1.1/includes/Admin/Api/ActivePluginData.php?rev=3164886
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-10-24 07:28:55 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-9234.yaml | 2025-04-25 00:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nuclei
-
Added to KEVIntel