Platform
wordpress
Component
folders
Fixed in
3.0.3
CVE-2024-2024 describes an arbitrary file access vulnerability affecting the Folders Pro plugin for WordPress. This flaw allows authenticated attackers, possessing author access or higher, to upload arbitrary files to the server. Versions of Folders Pro up to and including 3.0.2 are vulnerable. A fix is available in a subsequent version, requiring users to upgrade.
The primary impact of CVE-2024-2024 is the potential for remote code execution (RCE). By successfully uploading a malicious file (e.g., a PHP script), an attacker could gain control over the WordPress server. This could lead to data breaches, website defacement, or complete server compromise. The vulnerability's reliance on authenticated access (author role or higher) limits the initial attack surface, but once inside, the attacker's privileges could be escalated. The ability to upload arbitrary files bypasses standard WordPress security measures and represents a significant risk.
CVE-2024-2024 was publicly disclosed on June 14, 2024. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential for RCE make it a high-priority vulnerability. There are currently no known public proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern.
Exploit Status
EPSS
17.12% (95% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-2024 is to upgrade Folders Pro to a version that addresses the file type validation issue. If upgrading immediately is not feasible, consider restricting file upload permissions for users with author access or higher. Implement a Web Application Firewall (WAF) rule to block file uploads with potentially malicious extensions (e.g., .php, .exe, .sh). Regularly scan the WordPress installation for unauthorized files. After upgrading, verify the fix by attempting to upload a file with a known malicious extension (e.g., a PHP script containing a simple '<?php echo 'hello'; ?>' payload) and confirming that the upload is blocked.
Actualice el plugin Folders Pro a la última versión disponible. La vulnerabilidad permite la subida de archivos arbitrarios, lo que podría llevar a la ejecución remota de código. La actualización corrige la falta de validación de tipos de archivo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-2024 is a HIGH severity vulnerability in Folders Pro WordPress plugin versions ≤3.0.2, allowing authenticated attackers to upload arbitrary files, potentially leading to remote code execution.
If you are using Folders Pro version 3.0.2 or earlier, you are vulnerable. Check your plugin version using wp plugin list and upgrade immediately.
Upgrade Folders Pro to the latest available version. If immediate upgrade is not possible, restrict file upload permissions and implement a WAF rule to block malicious file extensions.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's potential for RCE makes it a high-priority risk.
Refer to the Folders Pro plugin website and WordPress.org plugin page for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.