CVE-2024-58348
Description
WordPress Background Image Cropper v1.2 has a critical RCE vulnerability allowing unauthenticated attackers to upload and execute arbitrary PHP files via ups.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Background Image Cropper v1.2 has a critical RCE vulnerability allowing unauthenticated attackers to upload and execute arbitrary PHP files via ups.php.
Vulnerability
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability. This flaw allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint within the plugin directory. The vulnerability affects versions up to and including 1.2 [3].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted request to the ups.php endpoint. The attacker needs to upload a malicious PHP file through the file upload form. The provided exploit code demonstrates uploading a PHP web shell, which, upon successful upload, allows the attacker to execute arbitrary commands on the server [1].
Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to achieve remote code execution on the server. This means the attacker can upload and run arbitrary PHP code, potentially leading to a full compromise of the affected WordPress site and server [3].
Mitigation
This plugin has been closed as of June 25, 2025, and is no longer available for download due to an author request [4]. No patched version is available. Users should remove the plugin immediately if it is still installed. It is noted that the plugin has been reported to auto-install and contain malware or backdoor scripts [4].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The ups.php endpoint in the Background Image Cropper plugin does not validate uploaded file types, allowing arbitrary file uploads."
Attack vector
An unauthenticated attacker can exploit this vulnerability by sending a POST request to the `ups.php` endpoint within the plugin directory. The attacker can upload a malicious PHP file, such as a web shell, by using the file upload form. This allows for arbitrary code execution on the server. The exploit script demonstrates this by attempting to upload a PHP file containing a simple web shell [ref_id=1].
Affected code
The vulnerability resides in the `ups.php` file within the `background-image-cropper` plugin directory. This file handles file uploads without proper validation.
What the fix does
The patch is not available in the provided information. The advisory recommends updating to a version that addresses this vulnerability. Without a patch, the vulnerability remains exploitable.
Preconditions
- authThe attacker does not require any authentication.
- networkThe attacker needs network access to the target WordPress site.
- inputThe attacker must be able to send a POST request with a file upload payload to the `ups.php` endpoint.
Reproduction
The provided exploit script can be used to reproduce this vulnerability. It takes a list of target URLs as input and attempts to upload a PHP file to the `ups.php` endpoint. If successful, it saves the vulnerable URL to `Shells.txt` [ref_id=1].
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.