CVE-2024-9939

CVE-2024-9939 is a path traversal vulnerability (CWE-22) affecting the WordPress File Upload plugin for WordPress in all versions up to and including 4.24.13. The issue resides in the wfu_file_downloader.php component, which allows attackers to access files outside the originally intended directory. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables reading arbitrary files on the server, potentially exposing sensitive configuration files, credentials, or other data stored outside the plugin's designated directories.

Wordfence published a threat intelligence advisory detailing the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/id/5e51f301-026d-4ed7-82f8-96c1623bf95c?source=cve. A patch addressing the issue is available in the WordPress plugin trac changeset 3188857 at https://plugins.trac.wordpress.org/changeset/3188857/wp-file-upload. Additional technical analysis appears in a blog post at https://abrahack.com/posts/wp-file-upload-rce-part1/. Security practitioners should update to a patched version beyond 4.24.13 and review access logs for suspicious file download requests.