プラットフォーム
wordpress
コンポーネント
wp-file-upload
修正版
4.24.16
CVE-2024-11613 represents a critical Remote Code Execution (RCE) vulnerability within the WordPress File Upload plugin. This flaw allows unauthenticated attackers to execute code on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 4.24.15. A patch is expected to be released by the plugin developers.
The impact of CVE-2024-11613 is severe. Successful exploitation allows an attacker to execute arbitrary code on the web server hosting the WordPress site. This could involve installing malware, stealing sensitive data (user credentials, database contents, configuration files), modifying website content, or even pivoting to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. The vulnerability's location within a file download handler ('wfufiledownloader.php') makes it particularly insidious, as attackers can potentially leverage legitimate download functionality to mask their malicious activity.
This vulnerability is considered high probability due to its ease of exploitation and the lack of authentication required. Public proof-of-concept (PoC) code is likely to emerge quickly following public disclosure. The vulnerability was published on 2025-01-08. Monitor CISA KEV listings for potential inclusion. Active exploitation campaigns are possible, particularly targeting vulnerable WordPress installations.
WordPress websites utilizing the File Upload plugin, particularly those running older versions (≤4.24.15), are at significant risk. Shared hosting environments are especially vulnerable, as they often lack granular control over plugin updates and security configurations. Websites with custom integrations or extensions built on top of the File Upload plugin may also be affected.
• wordpress / composer / npm:
grep -r 'wfu_file_downloader.php' /var/www/html/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wordpress-file-upload/wfu_file_downloader.php | grep -i 'source='• wordpress / composer / npm:
wp plugin list | grep 'WordPress File Upload'• wordpress / composer / npm:
wp plugin update wordpress-file-upload --alldisclosure
エクスプロイト状況
EPSS
66.12% (99% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-11613 is to upgrade the WordPress File Upload plugin to a version with the security patch. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict file upload restrictions within WordPress itself (limiting allowed file types and sizes) can reduce the attack surface. Monitor web server access logs for suspicious activity related to 'wfufiledownloader.php', specifically looking for unusual parameters or file requests. After upgrading, confirm the vulnerability is resolved by attempting a controlled code execution test on a staging environment.
WordPress File Uploadプラグインを最新バージョンにアップデートしてください。これにより、リモートコード実行、任意のファイル読み取り、および任意のファイル削除の脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-11613 is a critical Remote Code Execution vulnerability in the WordPress File Upload plugin, allowing attackers to execute code on the server without authentication.
You are affected if you are using the WordPress File Upload plugin version 4.24.15 or earlier. Check your plugin version and upgrade immediately.
Upgrade the WordPress File Upload plugin to the latest available version with the security patch. If upgrading is not immediately possible, disable the plugin temporarily.
While active exploitation is not yet confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted soon. Monitor your systems closely.
Refer to the WordPress security announcements page and the WordPress File Upload plugin's official website for updates and advisories regarding CVE-2024-11613.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。