Plattform
wordpress
Komponente
wp-file-upload
Behoben in
4.24.16
CVE-2024-11613 represents a critical Remote Code Execution (RCE) vulnerability within the WordPress File Upload plugin. This flaw allows unauthenticated attackers to execute code on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 4.24.15. A patch is expected to be released by the plugin developers.
The impact of CVE-2024-11613 is severe. Successful exploitation allows an attacker to execute arbitrary code on the web server hosting the WordPress site. This could involve installing malware, stealing sensitive data (user credentials, database contents, configuration files), modifying website content, or even pivoting to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. The vulnerability's location within a file download handler ('wfufiledownloader.php') makes it particularly insidious, as attackers can potentially leverage legitimate download functionality to mask their malicious activity.
This vulnerability is considered high probability due to its ease of exploitation and the lack of authentication required. Public proof-of-concept (PoC) code is likely to emerge quickly following public disclosure. The vulnerability was published on 2025-01-08. Monitor CISA KEV listings for potential inclusion. Active exploitation campaigns are possible, particularly targeting vulnerable WordPress installations.
WordPress websites utilizing the File Upload plugin, particularly those running older versions (≤4.24.15), are at significant risk. Shared hosting environments are especially vulnerable, as they often lack granular control over plugin updates and security configurations. Websites with custom integrations or extensions built on top of the File Upload plugin may also be affected.
• wordpress / composer / npm:
grep -r 'wfu_file_downloader.php' /var/www/html/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wordpress-file-upload/wfu_file_downloader.php | grep -i 'source='• wordpress / composer / npm:
wp plugin list | grep 'WordPress File Upload'• wordpress / composer / npm:
wp plugin update wordpress-file-upload --alldisclosure
Exploit-Status
EPSS
66.12% (99% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-11613 is to upgrade the WordPress File Upload plugin to a version with the security patch. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict file upload restrictions within WordPress itself (limiting allowed file types and sizes) can reduce the attack surface. Monitor web server access logs for suspicious activity related to 'wfufiledownloader.php', specifically looking for unusual parameters or file requests. After upgrading, confirm the vulnerability is resolved by attempting a controlled code execution test on a staging environment.
Aktualisieren Sie den WordPress File Upload Plugin auf die neueste verfügbare Version. Dies behebt die Schwachstellen für Remote Code Execution, Arbitrary File Read und Arbitrary File Deletion.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-11613 is a critical Remote Code Execution vulnerability in the WordPress File Upload plugin, allowing attackers to execute code on the server without authentication.
You are affected if you are using the WordPress File Upload plugin version 4.24.15 or earlier. Check your plugin version and upgrade immediately.
Upgrade the WordPress File Upload plugin to the latest available version with the security patch. If upgrading is not immediately possible, disable the plugin temporarily.
While active exploitation is not yet confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted soon. Monitor your systems closely.
Refer to the WordPress security announcements page and the WordPress File Upload plugin's official website for updates and advisories regarding CVE-2024-11613.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.