Cyber Resilience

CVE-2024-11613

CriticalRCE

Published: 08 January 2025

Published
08 January 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7866 99.1th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11613 is a critical-severity Code Injection (CWE-94) vulnerability in Iptanus Wordpress File Upload. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

The WordPress File Upload plugin for WordPress is vulnerable to remote code execution, arbitrary file read, and arbitrary file deletion in all versions through 4.24.15. The issue resides in wfu_file_downloader.php, where insufficient sanitization of the user-supplied “source” parameter permits an attacker-controlled directory path, enabling the flaws tracked under CWE-94.

Unauthenticated attackers can exploit the vulnerability over the network to upload and execute arbitrary code, read sensitive files, or delete arbitrary files on the server, resulting in full compromise as reflected by the CVSS 9.8 score.

Public references point to a fix committed in changeset 3217005 of the plugin repository and to detailed analysis published by Abra Hack and Wordfence; administrators should update to a patched release once available through the WordPress plugin directory.

The associated EPSS score has remained near 0.79 since disclosure, indicating sustained exploitation interest without evidence of a sharp post-publication climb.

EU & UK References

Vulnerability details

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. This is due to lack of proper sanitization…

more

of the 'source' parameter and allowing a user-defined directory path. This makes it possible for unauthenticated attackers to execute code on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Vulnerability in public-facing WordPress plugin directly enables unauthenticated remote exploitation (T1190) leading to arbitrary file read (T1005) and deletion (T1070.004) via unsanitized path parameter.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-11635Same product: Iptanus Wordpress File Upload
CVE-2024-9939Same product: Iptanus Wordpress File Upload
CVE-2026-40383Same product class: CMS core
CVE-2026-34645Same product class: CMS core
CVE-2026-23899Same product class: CMS core
CVE-2024-8855Same product class: CMS core
CVE-2024-13250Same product class: CMS core
CVE-2026-21309Same product class: CMS core
CVE-2026-21289Same product class: CMS core
CVE-2026-34646Same product class: CMS core

Affected Assets

iptanus
wordpress file upload
≤ 4.25.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching and remediation of the vulnerable WordPress File Upload plugin to eliminate the unsanitized 'source' parameter flaw.

prevent

Requires validation of information inputs like the 'source' parameter to prevent path traversal enabling RCE, arbitrary file read, and deletion.

preventdetect

Enables vulnerability scanning to identify the presence of CVE-2024-11613 in the plugin and initiate remediation.

References