CVE-2024-11635

CWE-94 — Code Injection CWE-2414 documents4 sources

Severity

9.8CRITICAL

EPSS

19.6%

top 4.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Iptanus Wordpress File Upload Nickboss Iptanus File Upload

Timeline

PublishedJan 8

Description

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDiptanus/wordpress_file_upload< 4.24.15

▶CVEListV5nickboss/iptanus_file_upload4.24.12

🔴Vulnerability Details

GHSA

GHSA-66qp-p5x9-xhxc: The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4↗2025-01-08

▶

CVEList

WordPress File Upload <= 4.24.12 - Unuathenticated Remote Code Execution↗2025-01-08

▶