Plateforme
wordpress
Composant
wp-file-upload
Corrigé dans
4.24.16
CVE-2024-11613 represents a critical Remote Code Execution (RCE) vulnerability within the WordPress File Upload plugin. This flaw allows unauthenticated attackers to execute code on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 4.24.15. A patch is expected to be released by the plugin developers.
The impact of CVE-2024-11613 is severe. Successful exploitation allows an attacker to execute arbitrary code on the web server hosting the WordPress site. This could involve installing malware, stealing sensitive data (user credentials, database contents, configuration files), modifying website content, or even pivoting to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. The vulnerability's location within a file download handler ('wfufiledownloader.php') makes it particularly insidious, as attackers can potentially leverage legitimate download functionality to mask their malicious activity.
This vulnerability is considered high probability due to its ease of exploitation and the lack of authentication required. Public proof-of-concept (PoC) code is likely to emerge quickly following public disclosure. The vulnerability was published on 2025-01-08. Monitor CISA KEV listings for potential inclusion. Active exploitation campaigns are possible, particularly targeting vulnerable WordPress installations.
WordPress websites utilizing the File Upload plugin, particularly those running older versions (≤4.24.15), are at significant risk. Shared hosting environments are especially vulnerable, as they often lack granular control over plugin updates and security configurations. Websites with custom integrations or extensions built on top of the File Upload plugin may also be affected.
• wordpress / composer / npm:
grep -r 'wfu_file_downloader.php' /var/www/html/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wordpress-file-upload/wfu_file_downloader.php | grep -i 'source='• wordpress / composer / npm:
wp plugin list | grep 'WordPress File Upload'• wordpress / composer / npm:
wp plugin update wordpress-file-upload --alldisclosure
Statut de l'Exploit
EPSS
66.12% (percentile 99%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-11613 is to upgrade the WordPress File Upload plugin to a version with the security patch. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict file upload restrictions within WordPress itself (limiting allowed file types and sizes) can reduce the attack surface. Monitor web server access logs for suspicious activity related to 'wfufiledownloader.php', specifically looking for unusual parameters or file requests. After upgrading, confirm the vulnerability is resolved by attempting a controlled code execution test on a staging environment.
Mettez à jour le plugin WordPress File Upload vers la dernière version disponible. Cela corrigera les vulnérabilités d'exécution de code à distance, de lecture arbitraire de fichiers et de suppression arbitraire de fichiers.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-11613 is a critical Remote Code Execution vulnerability in the WordPress File Upload plugin, allowing attackers to execute code on the server without authentication.
You are affected if you are using the WordPress File Upload plugin version 4.24.15 or earlier. Check your plugin version and upgrade immediately.
Upgrade the WordPress File Upload plugin to the latest available version with the security patch. If upgrading is not immediately possible, disable the plugin temporarily.
While active exploitation is not yet confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted soon. Monitor your systems closely.
Refer to the WordPress security announcements page and the WordPress File Upload plugin's official website for updates and advisories regarding CVE-2024-11613.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.