Cyber Resilience

CVE-2024-13720

High

Published: 30 January 2025

Published
30 January 2025
Modified
30 January 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0845 92.5th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13720 is a high-severity CSRF (CWE-352) vulnerability in Ivanm Wp Image Uploader. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The WP Image Uploader plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the gky_image_uploader_main_function() function. The issue affects all versions up to and including 1.0.1 and is tracked under CWE-352 and CWE-22. The CVSS 3.1 base score is 8.8 with a network attack vector, low complexity, and low privileges required.

Unauthenticated attackers can supply crafted input to delete arbitrary files on the underlying server. Successful exploitation can remove critical files such as wp-config.php, which readily leads to remote code execution and full site compromise.

The Wordfence advisory and the plugin source reference at plugins.trac.wordpress.org confirm the path-validation flaw but do not detail an official patch release or workaround beyond upgrading once a fixed version becomes available.

EPSS reached a peak of 0.1161 on 2026-03-11 before receding to the current value of 0.0845; the modest movement does not indicate a pronounced post-disclosure exploitation surge.

EU & UK References

Vulnerability details

The WP Image Uploader plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the gky_image_uploader_main_function() function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to delete…

more

arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct path traversal/file deletion in public-facing WordPress plugin enables unauthenticated remote exploitation leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13707Same product: Ivanm Wp Image Uploader
CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2025-23558Shared CWE-352
CVE-2025-70231Shared CWE-22
CVE-2025-23848Shared CWE-352
CVE-2026-7524Shared CWE-22
CVE-2024-39786Shared CWE-22
CVE-2026-44068Shared CWE-22
CVE-2026-42756Shared CWE-22

Affected Assets

ivanm
wp image uploader
≤ 1.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient file path validation in the plugin's gky_image_uploader_main_function by requiring validation of inputs to prevent path traversal and arbitrary file deletion.

prevent

Enforces logical access controls to system resources, preventing unauthorized deletion of critical files like wp-config.php even if path traversal succeeds.

prevent

Requires timely identification, reporting, and correction of flaws in third-party plugins like WP Image Uploader, mitigating the vulnerability across all affected versions.

References