CVE-2024-6848: Wp Base64 Upload Missing Mime Validation

Base64 decoded content is directly uploaded via `wp_upload_bits` without validating its actual MIME type. This allows attackers to upload arbitrary malicious files, which can lead to Stored Cross-Site Scripting (XSS) or Remote Code Execution (RCE) depending on the file extension and server configuration. Validate the decoded content using `finfo_buffer` befo

Provally CuratedPublic repositoryMediumHigh confidenceVerifiedApache-2.0

PHP^β

greprules fetch cve-2024-6848-wp-base64-upload-missing-mime-validation --engine opengrep

Description

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Quality signals: 145 downloads
0 direct145 via packs
· 0 stars · Quality score 79How quality works
Included packs: 2 packs

Community feedback

0 signals from signed-in users.

Useful: 0
False positive: 0
Metadata: 0