WordPress File Upload < 4.25.0 – Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion | CVE 2024-11613 | Plugin Vulnerabilities

Description

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. This is due to lack of proper sanitization of the 'source' parameter and allowing a user-defined directory path. This makes it possible for unauthenticated attackers to execute code on the server.

Affects Plugins

Fixed in 4.25.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/31052fe6-a0ae-4502-b2d2-dbc3b3bf672f

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

abrahack

Verified

No

WPVDB ID

07c1e010-9e5f-43f2-9403-7b8df920d9cf

Timeline

Publicly Published

2025-01-07 (about 1 year ago)

Added

2025-01-07 (about 1 year ago)

Last Updated

2025-03-24 (about 1 year ago)

Other

Published

Title

Published

2025-04-21

Title

Ocean Extra < 2.4.7 - Unauthenticated Arbitrary Shortcode Execution

Published

2025-02-11

Title

Global Gallery - WordPress Responsive Gallery < 9.1.6 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Published

2025-10-24

Title

Discussion Board – WordPress Forum Plugin < 2.5.6 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Published

2025-05-16

Title

RS WP Book Showcase <= 6.7.57 - Unauthenticated Arbitrary Shortcode Execution

Published

2020-02-18

Title

ThemeREX Addons - Remote Code Execution