CVE-2024-12209
published 2024-12-08CVE-2024-12209: The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.04%
96.3th percentile
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wphealth | wp_umbrella_update_backup_restore_monitoring | <= 2.17.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unauthenticated GET requests containing the 'umbrella-restore=1' parameter combined with a 'filename' parameter using directory traversal sequences (e.g., ../../) targeting /etc/passwd or other sensitive files. ↗
- →Detect presence of the vulnerable plugin by searching HTTP response bodies for the string '/wp-content/plugins/wp-health', which indicates an installation of WP Umbrella <= 2.17.0. ↗
- →A successful exploitation response will return HTTP 200 with content-type text/html and a body matching the pattern 'root:.*:0:0:' (i.e., /etc/passwd content), indicating arbitrary local file read/inclusion. ↗
- →The vulnerable code path is in the 'umbrella-restore' action handler; monitor for any requests to this action with a 'filename' parameter containing path traversal sequences.
- ·The vulnerability is exploitable by unauthenticated attackers — no credentials or session tokens are required to trigger the LFI via the umbrella-restore action.
- ·All plugin versions up to and including 2.17.0 are affected; the fix is present in the changeset at version 3202883 of the wp-health repository. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pp69-q6mg-r2c8: The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2
ghsa_unreviewed·2024-12-08
CVE-2024-12209 [CRITICAL] CWE-98 GHSA-pp69-q6mg-r2c8: The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
VulnCheck
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
vulncheck·2024·CVSS 9.8
CVE-2024-12209 [CRITICAL] Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected: WP Umbrella Update Backup Restore & Monitoring plugin for WordPress
Required Action: Apply remediations or mitigations per vendor
No detection rules found.
Nuclei
WP Umbrella Update Backup Restore & Monitoring <= 2.17.0 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2024-12209 [CRITICAL] WP Umbrella Update Backup Restore & Monitoring <= 2.17.0 - Local File Inclusion
WP Umbrella Update Backup Restore & Monitoring <= 2.17.0 - Local File Inclusion
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Template:
id: CVE-2024-12209
info:
name: WP Umbrella Update Backup Restore & Monitoring <= 2.17.0 - Local File Inclusion
author: s4e-io
severity: critical
descrip
https://plugins.trac.wordpress.org/browser/wp-health/tags/v2.16.4/src/Actions/RestoreRouter.php#L45https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3202883%40wp-health&new=3202883%40wp-health&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/c74ce3e8-cab9-4cc6-a1ad-1e51f7268474?source=cve
2024-12-08
Published
Exploited in the wild