Description
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.
Published: 2026-06-08
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Background Image Cropper version 1.2 contains a remote code execution flaw that lets an attacker upload any file type through the ups.php endpoint. The vulnerability enables the upload of PHP scripts which the web server then executes, providing full control over the site. This weakness falls under CWE‑434, Unrestricted Upload of File With Dangerous Type, and allows attackers to compromise the integrity and confidentiality of the affected server without authentication.

Affected Systems

The flaw affects the Background Image Cropper plugin for WordPress, specifically version 1.2. No additional vendor or version information is available.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is considered critical. The EPSS score is not provided, and the flaw is not listed in CISA’s KEV catalog, but the combination of unauthenticated access and the ability to execute code makes it highly exploitable. Attackers can directly target the plugin’s ups.php upload form to submit malicious PHP files and gain remote command execution on the host.

Generated by OpenCVE AI on June 8, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Background Image Cropper plugin or remove it if not required.
  • Restrict file uploads to safe MIME types and file extensions, rejecting PHP and other executable scripts.
  • Configure the web server so that the plugin’s upload directory does not allow execution of uploaded files (e.g., use .htaccess Deny from all or disable PHP execution in that folder).
  • Continuously monitor the site’s logs for suspicious upload activity and anomalous behavior.

Generated by OpenCVE AI on June 8, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.
Title WordPress Background Image Cropper 1.2 Remote Code Execution
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T01:55:30.617Z

Reserved: 2026-06-05T18:13:45.903Z

Link: CVE-2024-58348

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T02:16:23.267

Modified: 2026-06-08T02:16:23.267

Link: CVE-2024-58348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T03:30:16Z

Weaknesses