Unauthenticated Attackers Can Read or Delete Files via Path Traversal Flaw in WordPress File Upload Plugin

CVE-2024-9047

What is CVE-2024-9047?

CVE-2024-9047 is a critical vulnerability identified in the WordPress File Upload plugin developed by Nickboss. This plugin is commonly used to facilitate file uploads on WordPress websites. The vulnerability arises from a path traversal flaw that allows unauthenticated attackers to access and manipulate files outside the intended directory. This can severely compromise the security of an organization’s WordPress site, potentially leading to unauthorized file access or deletion.

Technical Details

The vulnerability exists in all versions of the WordPress File Upload plugin up to and including 4.24.11, specifically through the wfu_file_downloader.php file. Exploitation of this vulnerability is contingent upon the targeted WordPress host running PHP version 7.4 or earlier, which significantly amplifies the risk for sites using these configurations. With this flaw, attackers can construct requests that navigate through directories, breaching the access controls typically enforced by the application.

Potential Impact of CVE-2024-9047

• Unauthorized Data Exposure: Attackers can view sensitive files that should not be accessible, potentially leading to data breaches and exposure of confidential information.

• Data Manipulation or Deletion: The ability to delete files could disrupt business operations by removing critical documents, images, or media that are integral to the website's functionality.

• Increased Vulnerability to Further Attacks: A successful exploitation of this vulnerability may serve as a foothold for attackers, allowing them to launch further malicious activities, such as installing malware or conducting phishing attacks on the compromised site.

References