CVE-2024-9849

Summary

The Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affected Software

VendorProductVersion RangeStatus
creativeinteractivemediaReal 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder0 <= 4.8affected

Weaknesses

  • CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References