关键漏洞信息 描述 漏洞名称: Z-Downloads < 1.11.5 - Admin+ Arbitrary File Upload 描述: 该插件未正确验证上传的文件,允许具有高权限的用户(如管理员)在服务器上上传任意文件,即使他们不应该被允许这样做(例如在多站点设置中)。 影响的插件 插件名称: z-downloads 修复版本: 1.11.5 参考资料 CVE编号: CVE-2024-8699 其他信息 原始研究员: Minh Giang & Christopher Houk 提交者: Certus Cybersecurity 验证状态: Yes WPVDB ID: 9013351e-224f-4696-970f-eb843dc8dace 时间线 公开发布日期: 2024-08-06 添加日期: 2024-09-18 最后更新日期: 2024-09-24 其他相关漏洞 YayExtra – WooCommerce Extra Product Options < 1.3.8 - Unauthenticated Arbitrary File Upload via handle_upload_file Function All Post Contact Form <= 1.8.0 - Unauthenticated Arbitrary File Upload WP Marketplace 1.5.0-1.6.1 - Arbitrary File Upload Super Progressive Web Apps < 2.1.13 - Authenticated (High Privileged) Arbitrary File Upload to RCE Tumult Hype Animations < 1.9.16 - Authenticated (Author+) Arbitrary File Upload via hypeanimations_panel Function