CVE-2024-11613
Published: 08 January 2025
Summary
CVE-2024-11613 is a critical-severity Code Injection (CWE-94) vulnerability in Iptanus Wordpress File Upload. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The WordPress File Upload plugin for WordPress is vulnerable to remote code execution, arbitrary file read, and arbitrary file deletion in all versions through 4.24.15. The issue resides in wfu_file_downloader.php, where insufficient sanitization of the user-supplied “source” parameter permits an attacker-controlled directory path, enabling the flaws tracked under CWE-94.
Unauthenticated attackers can exploit the vulnerability over the network to upload and execute arbitrary code, read sensitive files, or delete arbitrary files on the server, resulting in full compromise as reflected by the CVSS 9.8 score.
Public references point to a fix committed in changeset 3217005 of the plugin repository and to detailed analysis published by Abra Hack and Wordfence; administrators should update to a patched release once available through the WordPress plugin directory.
The associated EPSS score has remained near 0.79 since disclosure, indicating sustained exploitation interest without evidence of a sharp post-publication climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34146
Vulnerability details
The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. This is due to lack of proper sanitization…
more
of the 'source' parameter and allowing a user-defined directory path. This makes it possible for unauthenticated attackers to execute code on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin directly enables unauthenticated remote exploitation (T1190) leading to arbitrary file read (T1005) and deletion (T1070.004) via unsanitized path parameter.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely patching and remediation of the vulnerable WordPress File Upload plugin to eliminate the unsanitized 'source' parameter flaw.
Requires validation of information inputs like the 'source' parameter to prevent path traversal enabling RCE, arbitrary file read, and deletion.
Enables vulnerability scanning to identify the presence of CVE-2024-11613 in the plugin and initiate remediation.