CVE-2024-13011

Critical

Published: 10 February 2025

Published

10 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0225 84.7th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Security Summary

CVE-2024-13011 affects the WP Foodbakery plugin for WordPress in versions up to and including 4.7. The vulnerability is an arbitrary file upload issue caused by insufficient file type validation in the 'upload_publisher_profile_image' function, mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type). Published on 2025-02-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction or privileges required. By leveraging the flawed upload function, they can place arbitrary files on the affected site's server, potentially enabling remote code execution and compromising the entire WordPress installation.

Advisories from sources like Wordfence's threat intelligence provide further details on the issue, while the plugin's ThemeForest listing offers context on its distribution. No specific patch information is detailed in the available references.

Details

CWE(s): CWE-434

References

https://themeforest.net/item/food-bakery-restaurant-bakery-responsive-wordpress-theme/18970331
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/850fc4db-6e02-44c7-836a-02c433a0bae7?source=cve
security@wordfence.com