Platform
wordpress
Component
user-extra-fields
Fixed in
16.6.1
CVE-2024-11150 is a critical vulnerability affecting the WordPress User Extra Fields plugin, allowing for arbitrary file deletion. This flaw stems from insufficient file path validation within the deletetmpuploaded_file() function. Successful exploitation can lead to remote code execution, particularly if critical configuration files like wp-config.php are deleted. Versions of the plugin up to and including 16.6 are affected.
The impact of CVE-2024-11150 is severe. An unauthenticated attacker can leverage this vulnerability to delete any file accessible to the webserver user. The most concerning scenario involves deleting wp-config.php, which contains sensitive database credentials and configuration settings. Deletion of this file effectively compromises the entire WordPress installation, granting the attacker complete control over the server. Furthermore, deletion of other critical system files could lead to denial of service or further exploitation opportunities. This vulnerability shares similarities with other file deletion vulnerabilities where the attacker gains control by manipulating file paths.
CVE-2024-11150 was publicly disclosed on November 13, 2024. The vulnerability's ease of exploitation and potential for remote code execution suggest a medium probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
24.42% (96% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11150 is to immediately upgrade the WordPress User Extra Fields plugin to a version higher than 16.6, once available. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting file upload permissions for the webserver user to prevent the attacker from deleting files. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing suspicious file paths or deletion attempts targeting temporary upload directories. Regularly monitor WordPress logs for any unusual file deletion activity.
Update the WordPress User Extra Fields plugin to the latest available version. The vulnerability allows for arbitrary file deletion, which could lead to remote code execution. The update corrects the insufficient file path validation in the delete_tmp_uploaded_file() function.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11150 is a critical vulnerability in the WordPress User Extra Fields plugin allowing unauthenticated attackers to delete files, potentially leading to remote code execution.
You are affected if you are using WordPress User Extra Fields version 16.6 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade the WordPress User Extra Fields plugin to a version higher than 16.6. If immediate upgrade is not possible, implement temporary workarounds like restricting file upload permissions and WAF rules.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. Monitor security advisories for updates.
Refer to the official WordPress User Extra Fields plugin website and the WordPress security announcements page for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.