CVE-2024-11635

Published Jan 8, 2025

Last updated 22 days ago

WordPress

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-11635 is a Remote Code Execution (RCE) vulnerability found in the WordPress File Upload plugin. It affects versions up to and including 4.24.12. The vulnerability allows unauthenticated attackers to execute remote code via the 'wfu_ABSPATH' cookie parameter.

Description: The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.
Source: security@wordfence.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security@wordfence.com: CWE-94

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:iptanus:wordpress_file_upload:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0B5A82C7-FE3A-477E-AA13-EBC492A3C79F",
            "versionEndExcluding": "4.24.15"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]