CVE-2024-9047

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3164449/wp-file-upload
https://www.wordfence.com/threat-intel/vulnerabilities/id/554a314c-9e8e-4691-9792-d086790ef40f?source=cve

Configurations

No configuration.

History

15 Oct 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) El complemento WordPress File Upload de WordPress es vulnerable a Path Traversal en todas las versiones hasta la 4.24.11 incluida a través de wfu_file_downloader.php. Esto permite que atacantes no autenticados lean o eliminen archivos fuera del directorio original previsto. Para explotarlo con éxito, es necesario que la instalación de WordPress en cuestión utilice PHP 7.4 o una versión anterior.

12 Oct 2024, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-12 07:15

Updated : 2024-10-15 12:57

NVD link : CVE-2024-9047

Mitre link : CVE-2024-9047

CVE.ORG link : CVE-2024-9047

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

9.8 /10