CVE-2024-11635
Published: 08 January 2025
Summary
CVE-2024-11635 is a critical-severity Code Injection (CWE-94) vulnerability in Iptanus Wordpress File Upload. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The WordPress File Upload plugin for WordPress is vulnerable to remote code execution in all versions through 4.24.12. The flaw is triggered through the wfu_ABSPATH cookie parameter and is tracked as CWE-94, carrying a CVSS 3.1 score of 9.8 that reflects network-accessible, unauthenticated attack complexity.
Unauthenticated remote attackers can supply a crafted cookie value to execute arbitrary code on the underlying server, achieving full confidentiality, integrity, and availability impact without any user interaction.
Public references include a technical write-up at abrahack.com, the affected plugin file wfu_file_downloader.php in the WordPress SVN repository, and the corresponding Wordfence threat-intel entry; none of the provided sources detail specific patch versions or mitigation steps beyond the version range stated in the CVE description. The associated EPSS score has remained flat at 0.2918.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34194
Vulnerability details
The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via code injection in public-facing WordPress plugin maps to exploitation of public-facing app and arbitrary command/script execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of known flaws in vulnerable software components like the WordPress File Upload plugin versions up to 4.24.12 to prevent RCE exploitation.
Mandates validation of untrusted inputs such as the 'wfu_ABSPATH' cookie parameter to block code injection (CWE-94) in the plugin.
Enables vulnerability scanning to identify and prioritize the CVE-2024-11635 flaw in installed WordPress plugins before exploitation.