- Description
- The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. This is due to lack of proper sanitization of the 'source' parameter and allowing a user-defined directory path. This makes it possible for unauthenticated attackers to execute code on the server.
- Source
- security@wordfence.com
- NVD status
- Modified
- Products
- wordpress_file_upload
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@wordfence.com
- CWE-94
- Hype score
- Not currently trending
🚨 CVE-2024-11613: WordPress File Upload <= 4.24.15... Unauthenticated RCE through unsanitized 'source' param in wfu_file_downloader.php - 9.8 CVSS means instant shells on 10... https://t.co/MMoadyxafQ #netsec #vulnerability #CVE #sysadmin #zeroday
@0dayPublishing
8 Apr 2026
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
WordPress File Upload RCE (Part 2) : Full Disclosure of CVE-2024-11613 - When Patches Introduce New Vulnerabilities : https://t.co/YQAO4AvnHn Full Disclosure of CVE-2024-9939 & CVE-2024-11635 : https://t.co/NJV4TdNlur
@binitamshah
16 Mar 2025
3648 Impressions
9 Retweets
37 Likes
16 Bookmarks
0 Replies
0 Quotes
CVE-2024-11613 (CVSS:9.8, CRITICAL) is Awaiting Analysis. The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrar..https://t.co/ImoYXWqcpA #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
13 Jan 2025
20 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-11613 The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and inc… https://t.co/V67NbGgZq1
@CVEnew
8 Jan 2025
13 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A CVE of mine CVE-2024-11613 (CVSS:3.1 9.8 Critical) has been released today. Full disclosure exclusively on my blog https://t.co/Z46zGdurbe, on the 14th March 2025. You can read more about it at the link below https://t.co/OihGRXEX7D Please save the date.
@theabrahack
7 Jan 2025
2309 Impressions
2 Retweets
23 Likes
10 Bookmarks
1 Reply
1 Quote
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:iptanus:wordpress_file_upload:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "EE74268F-ADE8-4ADD-A5A1-6B0BD8EDBFC9",
"versionEndExcluding": "4.25.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]