CVE-2024-9939

High

Published: 08 January 2025

Published

08 January 2025

Modified

08 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0182 83.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9939 is a high-severity Path Traversal (CWE-22) vulnerability in Iptanus Wordpress File Upload. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the path traversal vulnerability by applying the available patch to WordPress File Upload plugin versions beyond 4.24.13.

SI-10 Information Input Validation good match

prevent

Validates file path inputs to the wfu_file_downloader.php script, preventing attackers from traversing outside the intended directory.

AC-6 Least Privilege partial match

prevent

Limits the web server process to least privilege access, reducing the scope of readable sensitive files even if path traversal succeeds.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing WP plugin enables remote unauthenticated arbitrary file read (T1190 exploitation + T1005 data collection from local system).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.13 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read files outside of the originally intended directory.

Deeper analysisAI

CVE-2024-9939 is a path traversal vulnerability (CWE-22) affecting the WordPress File Upload plugin for WordPress in all versions up to and including 4.24.13. The issue resides in the wfu_file_downloader.php component, which allows attackers to access files outside the originally intended directory. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables reading arbitrary files on the server, potentially exposing sensitive configuration files, credentials, or other data stored outside the plugin's designated directories.

Wordfence published a threat intelligence advisory detailing the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/id/5e51f301-026d-4ed7-82f8-96c1623bf95c?source=cve. A patch addressing the issue is available in the WordPress plugin trac changeset 3188857 at https://plugins.trac.wordpress.org/changeset/3188857/wp-file-upload. Additional technical analysis appears in a blog post at https://abrahack.com/posts/wp-file-upload-rce-part1/. Security practitioners should update to a patched version beyond 4.24.13 and review access logs for suspicious file download requests.