AI Threat Alert

CVE-2024-49326: Affiliator WP Plugin: Unauthenticated Web Shell Upload

CRITICAL PoC AVAILABLE CISA: TRACK*
Published October 20, 2024
CISO Take

CVE-2024-49326 is a critical unauthenticated arbitrary file upload in WordPress Affiliator plugin (≤2.1.3) enabling web shell deployment with no credentials required. Any WordPress server hosting this plugin alongside AI APIs, model inference endpoints, or data pipelines is exposed to full host compromise. Disable or remove the plugin immediately—no patched version is confirmed available.

What is the risk?

Risk is critical. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means automated scanners and script-kiddies can exploit at scale without any prior access. Full CIA triad impact confirmed. The absence of a confirmed patched version means organizations must remove the plugin entirely rather than patching. AI/ML servers sharing infrastructure with WordPress deployments face downstream compromise of model credentials, API keys, and training data.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Keras pip No patch
64.1K OpenSSF 7.1 1.6K dependents Pushed 4d ago 48% patched ~32d to patch Full package profile →

Do you use Keras? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 39% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

7 steps

  1. Audit all WordPress installations: check active plugins for Affiliator ≤2.1.3 (wp plugin list --status=active).

  2. Disable and remove the plugin immediately; no patched version confirmed.

  3. Deploy WAF rules blocking multipart POST uploads to wp-content/plugins/affiliator paths.

  4. Hunt for existing compromise: find /var/www -name '*.php' -newer /var/www/wp-config.php -mtime -90.

  5. Review web server access logs for POST requests to plugin upload endpoints originating from unusual IPs.

  6. Rotate all API keys and credentials stored on or accessible from the affected host.

  7. If compromise suspected, isolate host, preserve logs, and conduct forensic review before restoring.

What does CISA's SSVC say?

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Supply Chain Framework API AML.T0010.001 AML.T0025 AML.T0049 AML.T0050 AML.T0055 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.7.4 - Information security in supplier relationships
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain AI risk management across the AI lifecycle
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-49326?

CVE-2024-49326 is a critical unauthenticated arbitrary file upload in WordPress Affiliator plugin (≤2.1.3) enabling web shell deployment with no credentials required. Any WordPress server hosting this plugin alongside AI APIs, model inference endpoints, or data pipelines is exposed to full host compromise. Disable or remove the plugin immediately—no patched version is confirmed available.

Is CVE-2024-49326 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-49326, increasing the risk of exploitation.

How to fix CVE-2024-49326?

1. Audit all WordPress installations: check active plugins for Affiliator ≤2.1.3 (wp plugin list --status=active). 2. Disable and remove the plugin immediately; no patched version confirmed. 3. Deploy WAF rules blocking multipart POST uploads to wp-content/plugins/affiliator paths. 4. Hunt for existing compromise: find /var/www -name '*.php' -newer /var/www/wp-config.php -mtime -90. 5. Review web server access logs for POST requests to plugin upload endpoints originating from unusual IPs. 6. Rotate all API keys and credentials stored on or accessible from the affected host. 7. If compromise suspected, isolate host, preserve logs, and conduct forensic review before restoring.

What systems are affected by CVE-2024-49326?

This vulnerability affects the following AI/ML architecture patterns: web application frontends hosting AI services, shared infrastructure with AI API gateways, WordPress-based AI demo or documentation portals, model serving environments on multi-tenant web servers.

What is the CVSS score for CVE-2024-49326?

CVE-2024-49326 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.50%.

What is the AI security impact?

Affected AI Architectures

web application frontends hosting AI servicesshared infrastructure with AI API gatewaysWordPress-based AI demo or documentation portalsmodel serving environments on multi-tenant web servers

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.7.4
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Unrestricted Upload of File with Dangerous Type vulnerability in Vasilis Kerasiotis Affiliator allows Upload a Web Shell to a Web Server.This issue affects Affiliator: from n/a through 2.1.3.

Exploitation Scenario

Automated WordPress scanner identifies a site running Affiliator ≤2.1.3. Attacker crafts a multipart POST request to the plugin's file upload handler, submitting a PHP web shell with a spoofed image MIME type. The shell is written to the WordPress uploads or plugin directory and immediately accessible via HTTP. Attacker uses the shell to enumerate the host, finds .env files containing OpenAI/Anthropic API keys and database connection strings for a connected RAG system, exfiltrates them, and establishes persistence via crontab. Secondary attack: API keys used to exfiltrate proprietary training data or launch cost-harvesting attacks against the victim's AI services.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type

CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

  • [Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
  • [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
October 20, 2024
Last Modified
October 24, 2024
First Seen
October 20, 2024

Related Vulnerabilities

CRITICAL CVE-2025-49655 9.8

keras: Deserialization enables RCE

Same package: keras
CRITICAL CVE-2025-12060 9.8

keras: Path Traversal enables file access

Same package: keras
CRITICAL CVE-2024-3660 9.8

Keras: RCE via malicious model deserialization

Same package: keras
CRITICAL CVE-2025-1550 9.8

Keras: safe_mode bypass enables RCE via model loading

Same package: keras
HIGH CVE-2026-1462 8.8

Keras: safe_mode bypass allows RCE via model deserialization

Same package: keras
Back to Threat Feed