CVE-2024-11613

CVE-2024-11613 is a critical vulnerability in the WordPress File Upload plugin for WordPress, affecting all versions up to and including 4.24.15. It stems from insufficient sanitization of the 'source' parameter in the 'wfu_file_downloader.php' file, which permits user-defined directory paths. This flaw enables remote code execution (RCE), arbitrary file read, and arbitrary file deletion, as classified under CWE-94 (Improper Control of Generation of Code). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the 'source' parameter, they can target arbitrary files and directories on the server, leading to code execution, data exfiltration via file reads, or disruption through file deletions. Successful exploitation grants full control over the affected WordPress instance, potentially compromising the entire hosting environment.

Advisories and references, including a Wordfence threat intelligence report and an analysis on abrahack.com, detail the issue, while the plugin's source code in the WordPress SVN repository and a specific patch in changeset 3217005 on the WordPress Trac provide mitigation paths. Security practitioners should update the plugin to a version beyond 4.24.15 incorporating the fix in changeset 3217005 to sanitize inputs and restrict path traversal.