cbcvebase.
CVE-2024-12209
published 2024-12-08

CVE-2024-12209: The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.04%
96.3th percentile
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affected

1 ranges
VendorProductVersion rangeFixed in
wphealthwp_umbrella_update_backup_restore_monitoring<= 2.17.0

Detection & IOCsextracted from sources · hover to see the quote

url/?umbrella-restore=1&filename=../../../../../../etc/passwd
path/wp-content/plugins/wp-health
commandumbrella-restore=1&filename=../../../../../../etc/passwd
  • Look for unauthenticated GET requests containing the 'umbrella-restore=1' parameter combined with a 'filename' parameter using directory traversal sequences (e.g., ../../) targeting /etc/passwd or other sensitive files.
  • Detect presence of the vulnerable plugin by searching HTTP response bodies for the string '/wp-content/plugins/wp-health', which indicates an installation of WP Umbrella <= 2.17.0.
  • A successful exploitation response will return HTTP 200 with content-type text/html and a body matching the pattern 'root:.*:0:0:' (i.e., /etc/passwd content), indicating arbitrary local file read/inclusion.
  • The vulnerable code path is in the 'umbrella-restore' action handler; monitor for any requests to this action with a 'filename' parameter containing path traversal sequences.
  • ·The vulnerability is exploitable by unauthenticated attackers — no credentials or session tokens are required to trigger the LFI via the umbrella-restore action.
  • ·All plugin versions up to and including 2.17.0 are affected; the fix is present in the changeset at version 3202883 of the wp-health repository.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.