CVE-2024-11613

Published Jan 8, 2025

Last updated 3 months ago

CVSS critical 9.8
WordPress

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-11613 affects the WordPress File Upload plugin. Specifically, versions up to and including 4.24.15 are vulnerable. The vulnerability stems from a lack of proper sanitization of the 'source' parameter in the 'wfu_file_downloader.php' file, which allows a user-defined directory path. This flaw allows unauthenticated attackers to perform remote code execution, arbitrary file reading, and arbitrary file deletion on the server. Users are advised to update to version 4.24.16 or later to mitigate the risk.

Description
The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. This is due to lack of proper sanitization of the 'source' parameter and allowing a user-defined directory path. This makes it possible for unauthenticated attackers to execute code on the server.
Source
security@wordfence.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@wordfence.com
CWE-94

Social media

Hype score
Not currently trending

  1. WordPress File Upload RCE (Part 2) : Full Disclosure of CVE-2024-11613 - When Patches Introduce New Vulnerabilities : https://t.co/YQAO4AvnHn Full Disclosure of CVE-2024-9939 & CVE-2024-11635 : https://t.co/NJV4TdNlur

    @binitamshah

    16 Mar 2025

    3648 Impressions

    9 Retweets

    37 Likes

    16 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-11613 (CVSS:9.8, CRITICAL) is Awaiting Analysis. The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrar..https://t.co/ImoYXWqcpA #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    13 Jan 2025

    20 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2024-11613 The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and inc… https://t.co/V67NbGgZq1

    @CVEnew

    8 Jan 2025

    13 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. A CVE of mine CVE-2024-11613 (CVSS:3.1 9.8 Critical) has been released today. Full disclosure exclusively on my blog https://t.co/Z46zGdurbe, on the 14th March 2025. You can read more about it at the link below https://t.co/OihGRXEX7D Please save the date.

    @theabrahack

    7 Jan 2025

    2309 Impressions

    2 Retweets

    23 Likes

    10 Bookmarks

    1 Reply

    1 Quote

References