CVE-2024-11613
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. This is due to lack of proper sanitization of the 'source' parameter and allowing a user-defined directory path. This makes it possible for unauthenticated attackers to execute code on the server.
Analysis
The WordPress File Upload plugin through version 4.24.15 contains critical vulnerabilities in wfu_file_downloader.php enabling remote code execution, arbitrary file read, and arbitrary file deletion. The lack of proper sanitization on the source parameter combined with user-defined directory paths allows unauthenticated attackers to fully compromise the server.
Technical Context
The wfu_file_downloader.php file accepts a source parameter that controls file operations without proper sanitization or access controls. An attacker can manipulate this parameter to: (1) read arbitrary files including wp-config.php, (2) delete critical files causing DoS, or (3) achieve code execution by chaining file operations with PHP filter chains or other exploitation techniques. No authentication is required.
Affected Products
['WordPress File Upload <= 4.24.15']
Remediation
Update to WordPress File Upload 4.24.16 or later. Restrict access to wfu_file_downloader.php at the web server level. Rotate database credentials and WordPress secret keys. Review file system integrity for unauthorized modifications or deletions.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today