CVE-2024-11635

Published Jan 8, 2025

Last updated 18 days ago

CVSS critical 9.8
WordPress

Overview

Description
The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.
Source
security@wordfence.com
NVD status
Modified
Products
wordpress_file_upload

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@wordfence.com
CWE-94

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2024-11635: WordPress File Upload <= 4.24.12... Cookie-based RCE via wfu_ABSPATH parameter bypasses all auth - 300k+ WordPress installs running a file upload plugin tu... https://t.co/Dw6ZJbgrnG #netsec #vulnerability #CVE #sysadmin #zeroday

    @0dayPublishing

    8 Apr 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. WordPress File Upload RCE (Part 2) : Full Disclosure of CVE-2024-11613 - When Patches Introduce New Vulnerabilities : https://t.co/YQAO4AvnHn Full Disclosure of CVE-2024-9939 & CVE-2024-11635 : https://t.co/NJV4TdNlur

    @binitamshah

    16 Mar 2025

    3648 Impressions

    9 Retweets

    37 Likes

    16 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2024-11635 (CVSS:9.8, CRITICAL) is Awaiting Analysis. The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi..https://t.co/Vx0etBI81q #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    13 Jan 2025

    23 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2024-11635 The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie param… https://t.co/HH2vXqrhO4

    @CVEnew

    8 Jan 2025

    267 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. A CVE of mine CVE-2024-11635 (CVSS:3.1 9.8 Critical) has been released today. You can read more about it at the link below https://t.co/sTo3fpY3vm I would be making a full disclosure exclusively on my blog https://t.co/Z46zGdurbe, on the 7th March 2025. Please save the date.

    @theabrahack

    7 Jan 2025

    369 Impressions

    0 Retweets

    12 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.CVE-2026-2486
  2. WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.CVE-2026-26370
  3. The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.CVE-2025-67846
  4. The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.CVE-2025-9501
  5. The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.CVE-2025-8085

References

Sources include official advisories and independent security research.