平台
wordpress
组件
wp-file-upload
修复版本
4.24.16
CVE-2024-11613 represents a critical Remote Code Execution (RCE) vulnerability within the WordPress File Upload plugin. This flaw allows unauthenticated attackers to execute code on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 4.24.15. A patch is expected to be released by the plugin developers.
The impact of CVE-2024-11613 is severe. Successful exploitation allows an attacker to execute arbitrary code on the web server hosting the WordPress site. This could involve installing malware, stealing sensitive data (user credentials, database contents, configuration files), modifying website content, or even pivoting to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. The vulnerability's location within a file download handler ('wfufiledownloader.php') makes it particularly insidious, as attackers can potentially leverage legitimate download functionality to mask their malicious activity.
This vulnerability is considered high probability due to its ease of exploitation and the lack of authentication required. Public proof-of-concept (PoC) code is likely to emerge quickly following public disclosure. The vulnerability was published on 2025-01-08. Monitor CISA KEV listings for potential inclusion. Active exploitation campaigns are possible, particularly targeting vulnerable WordPress installations.
WordPress websites utilizing the File Upload plugin, particularly those running older versions (≤4.24.15), are at significant risk. Shared hosting environments are especially vulnerable, as they often lack granular control over plugin updates and security configurations. Websites with custom integrations or extensions built on top of the File Upload plugin may also be affected.
• wordpress / composer / npm:
grep -r 'wfu_file_downloader.php' /var/www/html/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wordpress-file-upload/wfu_file_downloader.php | grep -i 'source='• wordpress / composer / npm:
wp plugin list | grep 'WordPress File Upload'• wordpress / composer / npm:
wp plugin update wordpress-file-upload --alldisclosure
漏洞利用状态
EPSS
66.12% (99% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-11613 is to upgrade the WordPress File Upload plugin to a version with the security patch. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict file upload restrictions within WordPress itself (limiting allowed file types and sizes) can reduce the attack surface. Monitor web server access logs for suspicious activity related to 'wfufiledownloader.php', specifically looking for unusual parameters or file requests. After upgrading, confirm the vulnerability is resolved by attempting a controlled code execution test on a staging environment.
将 WordPress File Upload 插件更新到最新可用版本。这将修复远程代码执行、任意文件读取和任意文件删除漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-11613 is a critical Remote Code Execution vulnerability in the WordPress File Upload plugin, allowing attackers to execute code on the server without authentication.
You are affected if you are using the WordPress File Upload plugin version 4.24.15 or earlier. Check your plugin version and upgrade immediately.
Upgrade the WordPress File Upload plugin to the latest available version with the security patch. If upgrading is not immediately possible, disable the plugin temporarily.
While active exploitation is not yet confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted soon. Monitor your systems closely.
Refer to the WordPress security announcements page and the WordPress File Upload plugin's official website for updates and advisories regarding CVE-2024-11613.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。