Cyber Resilience

CVE-2024-12209

Critical

Published: 08 December 2024

Published
08 December 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8985 99.6th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12209 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to local file inclusion in all versions through 2.17.0. The flaw exists in the 'umbrella-restore' action handler, where the 'filename' parameter is used without proper sanitization or path validation, allowing an attacker to supply an arbitrary file path that is subsequently included and executed as PHP.

Unauthenticated attackers can exploit the issue over the network by sending a crafted request that references any file readable by the web server process. Successful exploitation grants the ability to execute arbitrary PHP code, bypass access controls, and obtain sensitive data; the impact is especially severe when an attacker can first upload a file containing PHP code that is later included via this vector.

The supplied references point to the vulnerable code in RestoreRouter.php and the corresponding plugin changeset, but contain no explicit mitigation guidance beyond the implied requirement to update beyond version 2.17.0. The EPSS score remains near 0.9 with negligible movement between its recorded peak and current value.

EU & UK References

Vulnerability details

The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers…

more

to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References