Remote Code Execution and File Manipulation in WordPress File Upload Plugin

CVE-2024-11613

What is CVE-2024-11613?

CVE-2024-11613 is a critical vulnerability affecting the WordPress File Upload plugin developed by Nickboss. This plugin is widely used by WordPress sites to facilitate file uploads from users. The vulnerability allows unauthenticated attackers to execute remote code on the server due to improper sanitization of input parameters, particularly in the file handling component. This exploitation can lead to severe disruptions for organizations, affecting the integrity and confidentiality of their data.

Technical Details

The vulnerability exists in all versions of the WordPress File Upload plugin up to and including version 4.24.15. It is triggered by the wfu_file_downloader.php file, which does not adequately validate the 'source' parameter, allowing attackers to define arbitrary directory paths. This flaw not only enables the execution of malicious code on impacted servers but also facilitates arbitrary file reading and deletion, resulting in further security risks.

Potential impact of CVE-2024-11613

1. Remote Code Execution: Attackers can run arbitrary code on compromised servers, leading to full control over the hosting environment and potential installation of additional malicious payloads.

2. Data Loss and Manipulation: The ability to read and delete files can result in significant data loss. Sensitive files may be compromised, adversely affecting business operations and data integrity.

3. Reputational Damage: An organization exposed to such vulnerabilities may suffer from a loss of trust among users and customers, potentially leading to long-term repercussions in terms of reputation and client retention.

References