Cyber Resilience

CVE-2024-11635

CriticalRCE

Published: 08 January 2025

Published
08 January 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2918 96.7th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11635 is a critical-severity Code Injection (CWE-94) vulnerability in Iptanus Wordpress File Upload. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

The WordPress File Upload plugin for WordPress is vulnerable to remote code execution in all versions through 4.24.12. The flaw is triggered through the wfu_ABSPATH cookie parameter and is tracked as CWE-94, carrying a CVSS 3.1 score of 9.8 that reflects network-accessible, unauthenticated attack complexity.

Unauthenticated remote attackers can supply a crafted cookie value to execute arbitrary code on the underlying server, achieving full confidentiality, integrity, and availability impact without any user interaction.

Public references include a technical write-up at abrahack.com, the affected plugin file wfu_file_downloader.php in the WordPress SVN repository, and the corresponding Wordfence threat-intel entry; none of the provided sources detail specific patch versions or mitigation steps beyond the version range stated in the CVE description. The associated EPSS score has remained flat at 0.2918.

EU & UK References

Vulnerability details

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct unauthenticated RCE via code injection in public-facing WordPress plugin maps to exploitation of public-facing app and arbitrary command/script execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-11613Same product: Iptanus Wordpress File Upload
CVE-2024-9939Same product: Iptanus Wordpress File Upload
CVE-2024-11816Same product class: CMS core
CVE-2025-1971Same product class: CMS core
CVE-2026-27577Shared CWE-94
CVE-2026-34645Same product class: CMS core
CVE-2024-54756Shared CWE-94
CVE-2026-23899Same product class: CMS core
CVE-2024-8855Same product class: CMS core
CVE-2024-21760Shared CWE-94

Affected Assets

iptanus
wordpress file upload
≤ 4.24.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of known flaws in vulnerable software components like the WordPress File Upload plugin versions up to 4.24.12 to prevent RCE exploitation.

prevent

Mandates validation of untrusted inputs such as the 'wfu_ABSPATH' cookie parameter to block code injection (CWE-94) in the plugin.

detect

Enables vulnerability scanning to identify and prioritize the CVE-2024-11635 flaw in installed WordPress plugins before exploitation.

References