CVE-2024-13720
Published: 30 January 2025
Summary
CVE-2024-13720 is a high-severity CSRF (CWE-352) vulnerability in Ivanm Wp Image Uploader. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The WP Image Uploader plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the gky_image_uploader_main_function() function. The issue affects all versions up to and including 1.0.1 and is tracked under CWE-352 and CWE-22. The CVSS 3.1 base score is 8.8 with a network attack vector, low complexity, and low privileges required.
Unauthenticated attackers can supply crafted input to delete arbitrary files on the underlying server. Successful exploitation can remove critical files such as wp-config.php, which readily leads to remote code execution and full site compromise.
The Wordfence advisory and the plugin source reference at plugins.trac.wordpress.org confirm the path-validation flaw but do not detail an official patch release or workaround beyond upgrading once a fixed version becomes available.
EPSS reached a peak of 0.1161 on 2026-03-11 before receding to the current value of 0.0845; the modest movement does not indicate a pronounced post-disclosure exploitation surge.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51733
Vulnerability details
The WP Image Uploader plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the gky_image_uploader_main_function() function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to delete…
more
arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct path traversal/file deletion in public-facing WordPress plugin enables unauthenticated remote exploitation leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient file path validation in the plugin's gky_image_uploader_main_function by requiring validation of inputs to prevent path traversal and arbitrary file deletion.
Enforces logical access controls to system resources, preventing unauthorized deletion of critical files like wp-config.php even if path traversal succeeds.
Requires timely identification, reporting, and correction of flaws in third-party plugins like WP Image Uploader, mitigating the vulnerability across all affected versions.