CVE-2024-11635

CriticalRCE

Published: 08 January 2025

Published

08 January 2025

Modified

08 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2369 96.0th percentile

Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11635 is a critical-severity Code Injection (CWE-94) vulnerability in Iptanus Wordpress File Upload. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching of known flaws in vulnerable software components like the WordPress File Upload plugin versions up to 4.24.12 to prevent RCE exploitation.

SI-10 Information Input Validation good match

prevent

Mandates validation of untrusted inputs such as the 'wfu_ABSPATH' cookie parameter to block code injection (CWE-94) in the plugin.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables vulnerability scanning to identify and prioritize the CVE-2024-11635 flaw in installed WordPress plugins before exploitation.

NVD Description

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.

Deeper analysisAI

CVE-2024-11635, published on 2025-01-08, is a critical Remote Code Execution vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-94 (Code Injection) in the WordPress File Upload plugin for WordPress. It affects all versions up to and including 4.24.12 and is exploitable via manipulation of the 'wfu_ABSPATH' cookie parameter, enabling arbitrary code execution on the server.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Successful exploitation provides high impacts on confidentiality, integrity, and availability, allowing full control over the affected server.

Advisories and analyses, including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/b5165f60-6515-4a2c-a124-cc88155eaf01?source=cve and a detailed breakdown at https://abrahack.com/posts/wp-file-upload-rce-part1/, provide further context. The plugin's source code, such as wfu_file_downloader.php at https://plugins.svn.wordpress.org/wp-file-upload/trunk/wfu_file_downloader.php, is referenced for review.

Details

CWE(s): CWE-94

Affected Products

iptanus

wordpress file upload

≤ 4.24.15

CVEs Like This One

CVE-2024-11613Same product: Iptanus Wordpress File Upload

CVE-2024-9939Same product: Iptanus Wordpress File Upload

CVE-2024-40748Same product class: CMS core

CVE-2024-55924Same product class: CMS core

CVE-2026-40488Same product class: CMS core

CVE-2025-24416Same product class: CMS core

CVE-2026-21289Same product class: CMS core

CVE-2025-24410Same product class: CMS core

CVE-2024-11816Same product class: CMS core

CVE-2025-1971Same product class: CMS core

References

https://abrahack.com/posts/wp-file-upload-rce-part1/
security@wordfence.com
https://plugins.svn.wordpress.org/wp-file-upload/trunk/wfu_file_downloader.php
Product · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/b5165f60-6515-4a2c-a124-cc88155eaf01?source=cve
Third Party Advisory · security@wordfence.com