CVE-2024-6828: CWE-434 Unrestricted Upload of File with Dangerous Type in davidanderson Redux Framework
The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution.
CVE-2024-6828: CWE-434 Unrestricted Upload of File with Dangerous Type in davidanderson Redux Framework
Description
The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-07-16T23:35:55.802Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c0cb7ef31ef0b55f5eb
Added to database: 2/25/2026, 9:39:24 PM
Last updated: 2/25/2026, 9:41:40 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2024-3555: CWE-862 Missing Authorization in gelform Social Link Pages: link-in-bio landing pages for your social media profiles
HighCVE-2024-3554: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in smub All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic
MediumCVE-2024-3553: CWE-862 Missing Authorization in themeum Tutor LMS – eLearning and online course solution
MediumCVE-2024-3551: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Penci Soledad Data Migrator
CriticalCVE-2024-3550: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gn_themes WP Shortcodes Plugin — Shortcodes Ultimate
MediumActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.