CVE-2024-11613

Critical CVSS: 9.8

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. This is due to lack of proper sanitization of the 'source' parameter and allowing a user-defined directory path. This makes it possible for unauthenticated attackers to execute code on the server.

Vendor

Iptanus

Product

Wordpress File Upload

CWE

CWE-94

Yayın Tarihi

2025-01-08 07:15:26

Güncelleme

2025-04-17 02:41:14

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-94 Wordpress File Upload CRITICAL Iptanus 2025

Referanslar

https://plugins.svn.wordpress.org/wp-file-upload/trunk/wfu_file_downloader.php https://plugins.trac.wordpress.org/changeset/3217005/ https://www.wordfence.com/threat-intel/vulnerabilities/id/31052fe6-a0ae-4502-b2d2-dbc3b3bf672f?source=cve

Benzer Kayıtlar

Medium

CVE-2024-13494

The WordPress File Upload plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and in…

High

CVE-2024-9939

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.2…

Critical

CVE-2024-11635

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi…

Medium

CVE-2024-12719

The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability…