Path Traversal Vulnerability in WordPress File Upload Plugin
CVE-2024-9939

7.5HIGH

Key Information:

Vendor
Wordpress
Status
WordPress File Upload
Vendor
CVE Published:
8 January 2025

What is CVE-2024-9939?

CVE-2024-9939 is a path traversal vulnerability found in the WordPress File Upload plugin. This plugin is designed to facilitate the uploading of files within WordPress environments, which is a common feature for many websites that utilize this content management system. The vulnerability allows unauthenticated attackers to manipulate file paths, enabling them to access files outside of the designated upload directory. This could lead to unauthorized reading of sensitive files, which poses a significant risk to organizations relying on this plugin for their file management needs.

Technical Details

The vulnerability resides in the wfu_file_downloader.php script, affecting all versions of the WordPress File Upload plugin up to and including version 4.24.13. Attackers can exploit this flaw by crafting requests that exploit path traversal, thereby gaining access to system files that are not typically visible or accessible through standard directory structures. The lack of proper input validation and sanitization allows these requests to successfully traverse the directory hierarchy, fundamentally compromising the security of the affected WordPress installation.

Potential impact of CVE-2024-9939

  1. Unauthorized Data Access: Attackers can gain access to sensitive files, including configuration files and other critical data, which may include credentials and personal information, reinforcing the need for strict access controls.

  2. Data Breaches: The exposure of sensitive files can lead to significant data breaches, potentially affecting user privacy and compliance with regulations such as GDPR or HIPAA. Organizations must be vigilant in protecting their data from unauthorized access.

  3. Reputation Damage: Organizations affected by unauthorized access due to this vulnerability may suffer reputational harm. The loss of customer trust can have long-lasting effects, impacting customer retention and brand integrity.

Affected Version(s)

WordPress File Upload * <= 4.24.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3188857/wp-f...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

abrahack
.