CVE-2024-13707
Published: 30 January 2025
Summary
CVE-2024-13707 is a high-severity CSRF (CWE-352) vulnerability in Ivanm Wp Image Uploader. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13707 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the WP Image Uploader plugin for WordPress in all versions up to and including 1.0.1. The issue arises from missing or incorrect nonce validation in the gky_image_uploader_main_function() function, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking on a malicious link. A successful forged request allows the attacker to delete arbitrary files on the targeted WordPress site.
Advisories, including the Wordfence threat intelligence report, provide further details on the vulnerability. The plugin's source code on the WordPress trac repository identifies the issue at line 85 in index.php.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51728
Vulnerability details
The WP Image Uploader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the gky_image_uploader_main_function() function. This makes it possible for unauthenticated…
more
attackers to delete arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public-facing WordPress plugin directly enables remote exploitation (T1190) resulting in arbitrary file deletion (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 protects the authenticity of communications sessions, directly mitigating CSRF attacks by ensuring forged requests cannot impersonate legitimate user actions.
SI-10 requires validation of information inputs such as CSRF nonces, addressing the core flaw of missing nonce validation in the plugin's function.
SI-2 mandates timely identification, reporting, and correction of flaws like this CSRF vulnerability through patching the affected plugin versions.