Cyber Posture

CVE-2024-13011

Critical

Published: 10 February 2025

Published
10 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0225 84.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13011 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 15.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validating all information inputs including file types, directly mitigating the insufficient file type validation in the upload_publisher_profile_image function that enables arbitrary file uploads.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates identifying, reporting, and remediating flaws like this arbitrary file upload vulnerability through timely patching of the WP Foodbakery plugin.

SI-3 Malicious Code Protection partial match
detectrespond

SI-3 employs malicious code protection at system entry points to detect and eradicate dangerous files uploaded via the vulnerable function, preventing RCE.

NVD Description

The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to upload arbitrary files…

more

on the affected site's server which may make remote code execution possible.

Deeper analysisAI

CVE-2024-13011 affects the WP Foodbakery plugin for WordPress in versions up to and including 4.7. The vulnerability is an arbitrary file upload issue caused by insufficient file type validation in the 'upload_publisher_profile_image' function, mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type). Published on 2025-02-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction or privileges required. By leveraging the flawed upload function, they can place arbitrary files on the affected site's server, potentially enabling remote code execution and compromising the entire WordPress installation.

Advisories from sources like Wordfence's threat intelligence provide further details on the issue, while the plugin's ThemeForest listing offers context on its distribution. No specific patch information is detailed in the available references.

Details

CWE(s)
CWE-434

Affected Products

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2021-35485Shared CWE-434
CVE-2020-36942Shared CWE-434
CVE-2025-34299Shared CWE-434
CVE-2025-26411Shared CWE-434
CVE-2024-57169Shared CWE-434
CVE-2023-53933Shared CWE-434
CVE-2025-68909Shared CWE-434
CVE-2021-47757Shared CWE-434
CVE-2025-68986Shared CWE-434
CVE-2025-56704Shared CWE-434

References