CVE-2024-11635
CVE-2024-11635
9.8
CriticalPublished:
Last updated:
Source:security@wordfence.com
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.
References
security@wordfence.com
https://abrahack.com/posts/wp-file-upload-rce-part1/security@wordfence.com
https://plugins.svn.wordpress.org/wp-file-upload/trunk/wfu_file_downloader.php