CVE-2024-11635
Published: 08 January 2025
Description
The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.
Security Summary
CVE-2024-11635, published on 2025-01-08, is a critical Remote Code Execution vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-94 (Code Injection) in the WordPress File Upload plugin for WordPress. It affects all versions up to and including 4.24.12 and is exploitable via manipulation of the 'wfu_ABSPATH' cookie parameter, enabling arbitrary code execution on the server.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Successful exploitation provides high impacts on confidentiality, integrity, and availability, allowing full control over the affected server.
Advisories and analyses, including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/b5165f60-6515-4a2c-a124-cc88155eaf01?source=cve and a detailed breakdown at https://abrahack.com/posts/wp-file-upload-rce-part1/, provide further context. The plugin's source code, such as wfu_file_downloader.php at https://plugins.svn.wordpress.org/wp-file-upload/trunk/wfu_file_downloader.php, is referenced for review.
Details
- CWE(s)