PatchSiren cyber security CVE debrief
CVE-2024-58348 background-image-cropper CVE debrief
CVE-2024-58348 is a critical remote code execution vulnerability in WordPress Background Image Cropper version 1.2. The vulnerability allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint, enabling the execution of arbitrary code on the server. The CVSS score for this vulnerability is 9.3, indicating a critical severity.
- Vendor
- background-image-cropper
- Product
- Unknown
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Administrators and users of WordPress Background Image Cropper version 1.2 should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability exists in the ups.php endpoint of the WordPress Background Image Cropper plugin, allowing unauthenticated file uploads. Attackers can exploit this by uploading PHP files to execute arbitrary code on the server.
Defensive priority
High
Recommended defensive actions
- Update WordPress Background Image Cropper to a version that patches this vulnerability, if available.
- Restrict access to the ups.php endpoint.
- Monitor server logs for suspicious activity.
Evidence notes
The CVE record and NVD detail provide evidence of this vulnerability. [See CVE-2024-58348 CVE record](resourceLinkAnnotations.cve-org) and [NVD detail](resourceLinkAnnotations.nvd).
Official resources
CVE-2024-58348 was published on 2026-06-08T02:16:23.267Z and modified on 2026-06-08T14:59:44.750Z.