PT-2025-1673 · WordPress · Wordpress File Upload
Abrahack
·
Published
2025-01-07
·
Updated
2026-04-08
·
CVE-2024-11635
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WordPress File Upload plugin versions up to and including 4.24.12
Description
The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the
wfu ABSPATH cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.Recommendations
For WordPress File Upload plugin versions up to and including 4.24.12, update to a version higher than 4.24.12 to resolve the issue.
As a temporary workaround, consider restricting access to the
wfu ABSPATH cookie parameter until a patch is available.Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wordpress File Upload