CVE-2024-49329 in WP REST API FNS Plugin
Summary
by MITRE • 10/20/2024
Unrestricted Upload of File with Dangerous Type vulnerability in vivek2tamrakar WP REST API FNS rest-api-fns allows Upload a Web Shell to a Web Server.This issue affects WP REST API FNS: from n/a through <= 1.0.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/06/2026
The vulnerability identified as CVE-2024-49329 represents a critical security flaw in the WP REST API FNS plugin for WordPress systems. This issue stems from an unrestricted file upload capability that permits malicious actors to bypass normal security controls and upload files with potentially harmful extensions. The vulnerability specifically impacts versions of the plugin from the initial release through version 1.0.0, creating a window of opportunity for attackers to exploit this weakness. The flaw allows for the upload of web shells, which are malicious scripts that provide attackers with remote access to compromised systems, effectively turning vulnerable servers into command and control nodes for further malicious activities.
The technical implementation of this vulnerability resides in the plugin's file upload functionality which fails to properly validate or sanitize file types before allowing uploads to proceed. This lack of input validation creates an environment where attackers can submit files with dangerous extensions such as .php, .jsp, or other server-side script formats that can execute code on the target web server. The vulnerability maps directly to CWE-434, which describes "Unrestricted Upload of File with Dangerous Type" and represents a common pattern in web application security where file upload mechanisms lack proper restrictions on file content or extensions. The absence of proper file type checking and content validation allows attackers to bypass security measures that would normally prevent execution of malicious code on the server.
The operational impact of this vulnerability is severe and multifaceted, as it provides attackers with persistent remote code execution capabilities on affected systems. Once a web shell is successfully uploaded, threat actors can establish backdoors, exfiltrate sensitive data, escalate privileges, and use the compromised server as a staging ground for further attacks within the network. This vulnerability can lead to complete system compromise, data breaches, and potential lateral movement to other systems within the network infrastructure. The implications extend beyond immediate exploitation as the web shell provides attackers with a persistent foothold that can be maintained long after initial access is gained, making detection and remediation more challenging. Organizations using affected versions of the WP REST API FNS plugin face significant risk of unauthorized access and potential data loss.
Mitigation strategies for this vulnerability should prioritize immediate remediation through plugin updates to versions that address the unrestricted upload issue. System administrators should implement comprehensive file upload restrictions including MIME type validation, filename sanitization, and storage of uploaded files outside the web root directory. The implementation of web application firewalls and intrusion detection systems can provide additional layers of protection by monitoring for suspicious upload patterns and malicious file content. Organizations should also conduct thorough security assessments of their WordPress installations to identify and remediate similar vulnerabilities in other plugins or themes. This vulnerability aligns with ATT&CK technique T1190, which describes "Exploit Public-Facing Application" and demonstrates how insecure file upload mechanisms can be leveraged for initial access and persistence within target environments. Regular security audits and vulnerability scanning should be implemented to proactively identify and address similar weaknesses in web applications and their associated plugins.