CVE-2024-6161 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the Default Thumbnail Plus plugin for WordPress, maintained by pjgalbraith. The flaw exists in the 'get_cache_image' function, which fails to validate the type of files uploaded by authenticated users with contributor-level or higher permissions. This lack of validation allows attackers to upload arbitrary files, including potentially malicious scripts, to the server hosting the WordPress site. Because the uploaded files can be executed, this vulnerability can lead to remote code execution (RCE), compromising the confidentiality, integrity, and availability of the affected system. The vulnerability affects all versions up to and including 1.0.2.3 of the plugin. The CVSS v3.1 base score is 8.8, reflecting network attack vector, low attack complexity, privileges required (contributor or higher), no user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits have been publicly reported yet, the vulnerability poses a significant risk due to the common use of WordPress and the plugin in question. Attackers who gain contributor-level access—which can sometimes be obtained through social engineering or other vulnerabilities—can leverage this flaw to escalate privileges and execute arbitrary code on the server. This can result in full site compromise, data theft, defacement, or use of the server as a pivot point for further attacks.

The impact of CVE-2024-6161 is severe for organizations running WordPress sites with the Default Thumbnail Plus plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the web server. This can result in complete site takeover, data breaches, defacement, installation of backdoors, or use of the compromised server for launching attacks on other networks. The vulnerability affects the confidentiality, integrity, and availability of the affected systems. Since contributor-level access is sufficient to exploit the flaw, attackers with limited privileges can escalate their control, increasing the risk of insider threats or exploitation via compromised user accounts. The widespread use of WordPress globally means a large attack surface, especially for organizations that do not regularly update plugins or enforce strict access controls. The absence of known public exploits currently reduces immediate risk but also means that attackers may develop exploits rapidly once the vulnerability is widely known.

To mitigate CVE-2024-6161, organizations should immediately audit their WordPress installations for the presence of the Default Thumbnail Plus plugin and verify the version in use. Since no official patch links are currently available, administrators should consider temporarily disabling or uninstalling the plugin until a fixed version is released. Restrict contributor-level permissions strictly and review user roles to minimize the number of users who can upload files. Implement web application firewalls (WAFs) with rules to detect and block suspicious file upload patterns and monitor logs for unusual activity related to file uploads. Harden the server by disabling execution permissions in upload directories to prevent execution of uploaded scripts. Employ intrusion detection systems (IDS) to alert on potential exploitation attempts. Regularly update WordPress core, themes, and plugins to reduce exposure to known vulnerabilities. Finally, educate users about the risks of privilege escalation and enforce strong authentication mechanisms to reduce the likelihood of compromised accounts.