CVE-2024-6366 Overview
CVE-2024-6366 affects the Profile Builder WordPress plugin from Cozmoslabs in versions prior to 3.11.8. The plugin fails to enforce proper authorization checks on its asynchronous media upload functionality. Unauthenticated attackers can upload arbitrary media files to vulnerable WordPress sites by abusing the WordPress async upload endpoint exposed through the plugin. The flaw is classified as Unrestricted Upload of File with Dangerous Type [CWE-434]. With an EPSS probability of 91.471% placing it in the 99th percentile, this issue sees significant scanning and exploitation interest.
Critical Impact
Unauthenticated remote attackers can upload media files to WordPress sites running vulnerable Profile Builder versions, enabling content tampering and potential follow-on attacks.
Affected Products
- Cozmoslabs Profile Builder WordPress plugin versions before 3.11.8
- WordPress sites with Profile Builder Free, Pro, or Hobbyist editions installed
- All WordPress deployments exposing the plugin's async upload functionality
Discovery Timeline
- 2024-07-29 - CVE-2024-6366 published to NVD
- 2025-05-30 - Last updated in NVD database
Technical Details for CVE-2024-6366
Vulnerability Analysis
The Profile Builder plugin extends WordPress user registration and profile management with custom forms and fields. The plugin integrates with WordPress core's async-upload.php workflow to handle avatar and attachment uploads from front-end forms. The vulnerability stems from missing authorization checks on the handler that processes these asynchronous upload requests.
Unauthenticated requests reach the upload handler without capability verification. Attackers do not need valid credentials, nonces, or an existing user session to invoke the functionality. The plugin treats the request as legitimate and writes the supplied file into the WordPress uploads directory.
The issue maps to [CWE-434] Unrestricted Upload of File with Dangerous Type. While WordPress core enforces MIME filtering for the standard async upload path, gaps in the plugin's authorization layer expose the functionality to anonymous callers and increase the available attack surface against the media library.
Root Cause
The Profile Builder code path that handles asynchronous uploads does not call current_user_can() or verify an authenticated nonce before invoking wp_handle_upload(). Authorization is assumed rather than enforced, which allows any HTTP client to drive the upload workflow.
Attack Vector
Exploitation requires only network access to the target site. An attacker sends an HTTP POST request to the WordPress async upload endpoint, including parameters consumed by the Profile Builder upload handler. The plugin processes the request without authentication and stores the supplied file. See the WPScan Vulnerability Report for the technical write-up.
Detection Methods for CVE-2024-6366
Indicators of Compromise
- Unauthenticated POST requests to wp-admin/async-upload.php originating from clients without an established WordPress session
- New files appearing in wp-content/uploads/ that do not correspond to legitimate user or administrator activity
- Profile Builder plugin versions below 3.11.8 reported by site inventory scans
Detection Strategies
- Review web server access logs for POST requests to async-upload.php lacking authenticated cookies or referrers tied to legitimate front-end forms
- Hash and compare files in the WordPress uploads directory against known good baselines to surface anonymous uploads
- Run WordPress security scanners that consume the WPScan vulnerability feed to identify vulnerable Profile Builder installations
Monitoring Recommendations
- Forward WordPress access logs and PHP error logs to a centralized log platform and alert on spikes in async upload activity
- Monitor for creation of files with executable or script extensions in the uploads directory
- Track plugin version inventory across WordPress estates to detect outdated Profile Builder installations
How to Mitigate CVE-2024-6366
Immediate Actions Required
- Upgrade Profile Builder to version 3.11.8 or later on every affected WordPress site
- Audit the wp-content/uploads/ directory for files added since the plugin was installed and remove unauthorized artifacts
- Restrict access to async-upload.php at the web server or WAF layer to authenticated sessions where feasible
Patch Information
Cozmoslabs addressed the issue in Profile Builder 3.11.8 by adding authorization checks to the asynchronous upload handler. Site operators should update through the WordPress plugin manager or by deploying the updated plugin package. Refer to the WPScan Vulnerability Report for advisory details.
Workarounds
- Disable the Profile Builder plugin until the patched version can be deployed
- Block unauthenticated POST requests to async-upload.php using a web application firewall rule
- Enforce strict MIME type and extension allow-lists on the WordPress uploads directory at the server level
# Example WAF rule concept: deny anonymous POSTs to async-upload.php
# Adjust to your WAF syntax and authentication cookie name
SecRule REQUEST_URI "@endsWith /wp-admin/async-upload.php" \
"phase:1,deny,status:403,chain,id:1006366"
SecRule REQUEST_METHOD "@streq POST" \
"chain"
SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
