Critical severity9.8NVD Advisory· Published Nov 9, 2024· Updated Apr 15, 2026

CVE-2024-10586

Description

The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary files such as .php files that can be leveraged for remote code execution. CVE-2024-52416 may be a duplicate of this issue.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/debug-tool/trunk/tools/image-puller.phpnvd
www.wordfence.com/threat-intel/vulnerabilities/id/5e9d5c93-dcd7-450e-8c52-5c95fc5473d2nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.047
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000