CVE-2024-9461: Total Upkeep <= 1.16.6 - Authenticated (Administrator+) Remote Code Execution via Backup Settings

7.2 CVSS

Description

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.6 via the cron_interval parameter. This is due to missing input validation and sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

Classification

CVE ID: CVE-2024-9461

CVSS Base Severity: HIGH

CVSS Base Score: 7.2

Affected Products

Vendor: boldgrid

Product: Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.72% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/804b42a0-1cea-4f68-bd4a-d292a9f23fbe?source=cve
https://plugins.trac.wordpress.org/browser/boldgrid-backup/tags/1.16.5/admin/class-boldgrid-backup-admin-settings.php#L748

Timeline

2024-11-27 14:42:11 UTC
CVE

Total Upkeep <= 1.16.6 - Authenticated (Administrator+) Remote Code Execution via Backup Settings