CVE-2024-6220 is a critical security vulnerability affecting the Keydatas (简数采集器) plugin for WordPress, identified as CWE-434: Unrestricted Upload of File with Dangerous Type. The vulnerability arises from the keydatas_downloadImages function, which lacks proper validation of uploaded file types. This flaw allows unauthenticated attackers to upload arbitrary files, including potentially malicious scripts, to the server hosting the WordPress site. Because the plugin does not restrict file types or enforce authentication, attackers can remotely upload files that may lead to remote code execution (RCE), enabling full compromise of the affected system. The vulnerability affects all plugin versions up to and including 2.5.2. The CVSS v3.1 score is 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability, combined with ease of exploitation (network vector, no privileges or user interaction required). No official patches have been released yet, and no known exploits are currently reported in the wild. However, the vulnerability's nature and severity make it a prime target for attackers seeking to compromise WordPress sites using this plugin. The plugin is used primarily by Chinese-speaking users but may also be present in global WordPress installations. The lack of file type validation is a classic security oversight that can be exploited to upload web shells or other malicious payloads, leading to server takeover, data theft, defacement, or further lateral movement within the victim's network.

The impact of CVE-2024-6220 is severe for organizations worldwide using the Keydatas WordPress plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the web server. This can result in complete system compromise, data breaches, defacement, installation of backdoors, and pivoting to internal networks. Confidentiality is at risk as sensitive data stored or processed by the website can be exfiltrated. Integrity is compromised because attackers can modify website content or application logic. Availability may be disrupted through denial-of-service conditions or destruction of critical files. Since the vulnerability requires no authentication or user interaction, attackers can automate exploitation at scale, increasing the risk of widespread attacks. Organizations with public-facing WordPress sites using this plugin are particularly vulnerable, including e-commerce, government, education, and media sectors. The absence of a patch increases exposure time, and the lack of known exploits in the wild suggests a window for proactive defense before active exploitation begins.

1. Immediately disable or uninstall the Keydatas (简数采集器) plugin from all WordPress installations until a secure patched version is released. 2. If disabling the plugin is not feasible, implement strict web application firewall (WAF) rules to block file uploads with suspicious or executable extensions (e.g., .php, .phtml, .php5, .php7, .exe, .jsp). 3. Restrict upload directories with proper permissions and prevent execution of uploaded files by configuring the web server (e.g., disable script execution in upload folders). 4. Monitor web server logs and WordPress upload directories for unusual or unauthorized file uploads. 5. Employ intrusion detection/prevention systems (IDS/IPS) to detect exploitation attempts targeting this vulnerability. 6. Keep WordPress core and all plugins/themes updated; subscribe to vendor advisories for patch announcements. 7. Conduct regular security audits and penetration testing focusing on file upload functionalities. 8. Educate site administrators about the risks of installing unverified plugins and the importance of timely updates. 9. Consider deploying application-layer sandboxing or containerization to limit the impact of potential compromises. 10. Back up website data and configurations regularly and verify restoration procedures to minimize downtime in case of compromise.