CVE-2024-13707

High

Published: 30 January 2025

Published

30 January 2025

Modified

31 January 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The WP Image Uploader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the gky_image_uploader_main_function() function. This makes it possible for unauthenticated attackers to delete arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Security Summary

CVE-2024-13707 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the WP Image Uploader plugin for WordPress in all versions up to and including 1.0.1. The issue arises from missing or incorrect nonce validation in the gky_image_uploader_main_function() function, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking on a malicious link. A successful forged request allows the attacker to delete arbitrary files on the targeted WordPress site.

Advisories, including the Wordfence threat intelligence report, provide further details on the vulnerability. The plugin's source code on the WordPress trac repository identifies the issue at line 85 in index.php.

Details

CWE(s): CWE-352

Affected Products

ivanm

wp image uploader

≤ 1.0.1

References

https://plugins.trac.wordpress.org/browser/wp-image-uploader/trunk/index.php#L85
Patch · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/646a9885-8e0e-42a9-a113-0688c9f6dc93?source=cve
Third Party Advisory · security@wordfence.com