PT-2025-3736 · WordPress · Wordpress File Upload

Abrahack

Published

2025-01-07

Updated

2025-03-16

CVE-2024-9939

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions WordPress File Upload plugin versions up to 4.24.13

Description The WordPress File Upload plugin is vulnerable to Path Traversal, allowing unauthenticated attackers to read files outside of the originally intended directory through wfu file downloader.php. This issue affects all versions up to, and including, 4.24.13.

Recommendations For versions up to 4.24.13, update to a version later than 4.24.13 to resolve the issue. As a temporary workaround, consider restricting access to wfu file downloader.php to minimize the risk of exploitation.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2024-9939

Affected Products

Wordpress File Upload

PT-2025-3736 · WordPress · Wordpress File Upload

CVE-2024-9939

Weakness Enumeration

Related Identifiers

Affected Products

References · 12