Cross-Site Request Forgery in WordPress File Upload Plugin
CVE-2024-13494

4.3MEDIUM

Key Information:

Vendor: Nickboss
Status: WordPress File Upload
Vendor: CVE Published:; 25 February 2025

Summary

The WordPress File Upload plugin is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in the 'wfu_file_details' function. This vulnerability allows attackers to exploit the system by tricking a site administrator into executing unintended actions. If successful, an attacker could modify user data related to uploaded files without proper authentication, posing significant security risks to WordPress sites utilizing this plugin.

Affected Version(s)

WordPress File Upload * <= 4.25.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3241028/wp-f...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Jan 16, 2025

Credit

Tim Coen