CVE-2024-13897
Published: 06 March 2025
Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Security Summary
CVE-2024-13897 is an arbitrary file deletion vulnerability in the Moving Media Library plugin for WordPress, affecting all versions up to and including 1.22. The issue arises from insufficient file path validation in the generate_json_page function within the class-movingmedialibraryadmin.php file, classified under CWE-22 (Path Traversal). It has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H), highlighting moderate severity with high integrity and availability impacts.
Authenticated attackers possessing Administrator-level access or higher can exploit this vulnerability over the network with low complexity. By manipulating file paths, they can delete arbitrary files on the server, potentially leading to remote code execution—for instance, by targeting critical files such as wp-config.php.
Advisories and patch references include Wordfence's threat intelligence report, which details the vulnerability, alongside plugin source code at line 166 of class-movingmedialibraryadmin.php and changeset 3244709, which addresses the issue in the trunk. Security practitioners should update the plugin to a version beyond 1.22 incorporating these fixes.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Arbitrary file deletion via path traversal directly enables T1070.004 (File Deletion) and T1485 (Data Destruction), with potential for availability impact or RCE via critical file removal.