Cyber Resilience

CVE-2024-13767

High

Published: 31 January 2025

Published
31 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0133 80.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13767 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13767 is a vulnerability in the Live2DWebCanvas plugin for WordPress, affecting all versions up to and including 1.9.11. It stems from insufficient file path validation in the ClearFiles() function, enabling arbitrary file deletion on the server. The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), highlighting high impact on integrity and availability.

Authenticated attackers with Subscriber-level access or higher can exploit this flaw over the network with low complexity and no user interaction required. By targeting the ClearFiles() function, they can delete arbitrary files, potentially leading to remote code execution—for instance, by removing critical files like wp-config.php to disrupt site functionality or enable further compromise.

Advisories from sources like Wordfence and the plugin's WordPress.org page, including a specific trac changeset, provide details on the issue. Security practitioners should review these references for patch information and mitigation guidance, such as updating to a fixed version if available.

EU & UK References

Vulnerability details

The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles() function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and…

more

above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Arbitrary file deletion via ClearFiles() directly maps to File Deletion (T1070.004) under Indicator Removal and enables Data Destruction (T1485); potential RCE via wp-config.php deletion is a secondary impact of these actions.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-31182Shared CWE-862
CVE-2025-6043Shared CWE-862
CVE-2026-26103Shared CWE-862
CVE-2026-4365Shared CWE-862
CVE-2025-23512Shared CWE-862
CVE-2026-4094Shared CWE-862
CVE-2025-59022Shared CWE-862
CVE-2026-27181Shared CWE-862
CVE-2026-4119Shared CWE-862
CVE-2024-12104Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of file path inputs to the ClearFiles function, directly addressing the insufficient path validation that enables arbitrary file deletion.

prevent

Enforces approved authorizations for file deletion operations in the plugin, mitigating the missing authorization (CWE-862) exploited by low-privilege users.

prevent

Mandates timely flaw remediation by patching the Live2DWebCanvas plugin to version beyond 1.9.11, eliminating the arbitrary file deletion vulnerability.

References