What is CVE-2024-6366?

CVE-2024-6366 is a vulnerability in User Profile Builder, classified under CWE-862 MISSING AUTHORIZATION. Published 2024-07-29.

Is CVE-2024-6366 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in User Profile Builder

CVE-2024-6366

The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.

EPSS: 0.913 (99.7th percentile) — read the EPSS interpretation.

Affected products

Unknown User Profile Builder — versions 0

Public proof-of-concept exploits

Nxploited/CVE-2024-6366-PoC
Abdurahmon3236/CVE-2024-6366
fkie-cad/nvd-json-data-feeds
20142995/nuclei-templates
purwocode/burning-wp
nomi-sec/PoC-in-GitHub
drcrypterdotru/BurnWP-Framework

References

wpscan.com/vulnerability/5b90cbdd-52cc-4e7b-bf39-bea0dd59e19e/ (exploit, vdb-entry, technical-description)

Frequently asked questions

What is CVE-2024-6366?: CVE-2024-6366 is a vulnerability in User Profile Builder, classified under CWE-862 MISSING AUTHORIZATION. Published 2024-07-29.
Is CVE-2024-6366 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.