Unrestricted File Access in WordPress File Upload (⤠v4.24.11)
đĸ Advisory Summary
Vulnerability Type: Path Traversal (CWE-22)
Affected Plugin: WordPress File Upload
Impacted Versions: ⤠4.24.11
CVSSv3 Score: 7.5 (High) [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N]
Attack Vector: Remote unauthenticated
Prerequisite: PHP ⤠7.4
đĨ Impact
Successful exploitation allows:
â Unauthorized file system access
â Potential sensitive file disclosure (wp-config.php, etc.)
â Server-side request forgery (SSRF) opportunities
đĄī¸ Mitigation Steps
Immediate Action:
Upgrade to WordPress File Upload âĨ v4.24.12
Migrate to PHP 8.0+ (disables dangerous path functions)
Detection:
SQL:
SELECT * FROM wp_options WHERE option_name = 'wordpress_file_upload' AND option_value LIKE '%4.24.11%';
Emergency Workaround:
Disable plugin via WP-CLI:
wp plugin deactivate wordpress-file-upload
âī¸ Technical Details
Root Cause: Improper sanitization of filepath parameter
Exploit Trigger: Malicious ../ sequences in upload requests
PHP Dependency: Relies on deprecated realpath() behavior in PHP â¤7.4
đ Vendor Response
Patch Released: v4.24.12 Changelog
Fixed By: Strict path normalization and PHP 8.0+ requirement
đ References
WordPress Plugin Directory Advisory
#WordPressSecurity #PathTraversal #WebSecurity #CVE20249047
Similar
-
CVE-2024-29849 Critical Authentication Bypass in Veeam Backup Enterprise Manager CVE-2024-29849 Critical Authentication Bypass in Veeam Backup Enterprise Manager 2024-29849 (Linux)
-
CVE-2024-7954: Critical RCE in SPIP's Porte Plume Plugin CVE-2024-7954: Critical RCE in SPIP's Porte Plume Plugin 2024-7954 (Cross-platform)
-
CVE-2024-22567: Security Advisory for MCMS 5.3.5 CVE-2024-22567: Security Advisory for MCMS 5.3.5 2024-22567 (Cross-platform)
-
CVE-2024-11616: Buffer Overflow in Netskope Endpoint DLP CVE-2024-11616: Buffer Overflow in Netskope Endpoint DLP 2024-11616 (Cross-platform)
Top Softwares
-
App Builder (x64) â Complete Application Development Suite App Builder (x64) â Complete Application Development Suite 2025.7 (64-bit)
-
Opera Opera 32.1 (64-bit)
-
WinRAR for Windows WinRAR for Windows 1.9 (64-bit)
-
Face Swap â AI Photo Editor (Pro Mod APK) Face Swap â AI Photo Editor (Pro Mod APK) v1.1.5 (Android)
-
microG Services (Signed APK) microG Services (Signed APK) v0.3.1.4.240913 (Android)
Featured
-
⥠ZigStrike â Network Simulation & Stress Testing Toolkit ⥠ZigStrike â Network Simulation & Stress Testing Toolkit Latest (64-bit)
-
Grub2Win 2.4.2.10 â Advanced Boot Manager for Windows & Linux Grub2Win 2.4.2.10 â Advanced Boot Manager for Windows & Linux 2.4.2.10 (Cross-platform)
-
Argente System Repair 1.0.1.2 â Comprehensive PC Optimization Tool Argente System Repair 1.0.1.2 â Comprehensive PC Optimization Tool 1.0.1.2 (64-bit)
-
đšī¸ CheatBook Issue 07/2025 + Database 2025 â Full Game Cheat Archive đšī¸ CheatBook Issue 07/2025 + Database 2025 â Full Game Cheat Archive 07/2025 (64-bit)
-
Acoustica Premium Edition 7.7.8 â Mastering & Audio Restoration Suite Acoustica Premium Edition 7.7.8 â Mastering & Audio Restoration Suite 7.7.8 (Cross-platform)