CVE-2024-12209
Published: 08 December 2024
Summary
CVE-2024-12209 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to local file inclusion in all versions through 2.17.0. The flaw exists in the 'umbrella-restore' action handler, where the 'filename' parameter is used without proper sanitization or path validation, allowing an attacker to supply an arbitrary file path that is subsequently included and executed as PHP.
Unauthenticated attackers can exploit the issue over the network by sending a crafted request that references any file readable by the web server process. Successful exploitation grants the ability to execute arbitrary PHP code, bypass access controls, and obtain sensitive data; the impact is especially severe when an attacker can first upload a file containing PHP code that is later included via this vector.
The supplied references point to the vulnerable code in RestoreRouter.php and the corresponding plugin changeset, but contain no explicit mitigation guidance beyond the implied requirement to update beyond version 2.17.0. The EPSS score remains near 0.9 with negligible movement between its recorded peak and current value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50682
Vulnerability details
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers…
more
to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.