CVE-2024-9047

Name of the Vulnerable Software and Affected Versions WordPress File Upload plugin versions up to, and including, 4.24.11

Description The WordPress File Upload plugin is vulnerable to Path Traversal via the wfu file downloader.php file. This allows unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier. Approximately 18,000 devices are exposed.

Recommendations For WordPress File Upload plugin versions up to, and including, 4.24.11, update to a version later than 4.24.11 to resolve the issue. As a temporary workaround, consider disabling the wfu file downloader.php file until a patch is available. Restrict access to the wfu file downloader.php file to minimize the risk of exploitation.