Platform
wordpress
Component
wp-file-upload
Fixed in
4.24.12
CVE-2024-9047 is a critical path traversal vulnerability affecting the WordPress File Upload plugin. This flaw allows unauthenticated attackers to potentially read or delete arbitrary files on the server, significantly compromising the integrity and confidentiality of the WordPress installation. The vulnerability impacts versions up to and including 4.24.11 and requires the targeted site to be running PHP 7.4 or earlier. A patch is available from the plugin developers.
The path traversal vulnerability in the WordPress File Upload plugin presents a severe risk to WordPress installations. An attacker could exploit this flaw to read sensitive configuration files, database credentials, or even system files. Successful exploitation could lead to complete server compromise, data exfiltration, and denial of service. The requirement for PHP 7.4 or earlier further exacerbates the risk, as many legacy WordPress sites still rely on these older PHP versions. This vulnerability is particularly concerning because it requires no authentication, making it accessible to a wide range of attackers.
CVE-2024-9047 was publicly disclosed on 2024-10-12. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation and the lack of authentication make it a likely target for opportunistic attackers. The vulnerability's severity (CVSS 9.8) and the requirement for older PHP versions suggest a potential for exploitation in vulnerable environments. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
93.62% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-9047 is to immediately upgrade the WordPress File Upload plugin to the latest available version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting file download access via the wfufiledownloader.php endpoint. Web application firewalls (WAFs) can be configured to block requests containing path traversal attempts (e.g., ../ sequences). Regularly scan your WordPress installation for outdated plugins and themes to reduce the overall attack surface. After upgrading, verify the fix by attempting to access files outside the intended directory via the file download endpoint – access should be denied.
Update the WordPress File Upload plugin to the latest available version. This will resolve the path traversal vulnerability that allows unauthorized file reading and deletion.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9047 is a critical path traversal vulnerability in the WordPress File Upload plugin, allowing attackers to read or delete files outside the intended directory via wfufiledownloader.php.
You are affected if you are using WordPress File Upload plugin versions 4.24.11 or earlier, and your WordPress site is running PHP 7.4 or earlier.
Upgrade the WordPress File Upload plugin to the latest available version. If immediate upgrade is not possible, restrict access to wfufiledownloader.php.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active campaigns.
Refer to the WordPress security announcements and the plugin developer's website for the latest advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.