cbcvebase.
CVE-2024-9047
published 2024-10-12

CVE-2024-9047: The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
92.32%
99.8th percentile
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.

Affected

2 ranges
VendorProductVersion rangeFixed in
iptanuswordpress_file_upload< 4.24.124.24.12
nickbossiptanus_file_upload<= 4.24.11

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/wp-file-upload/wfu_file_downloader.php
url/wp-content/plugins/wp-file-upload/wfu_file_downloader.php?file={{file}}&ticket={{ticket}}&handler=dboption&session_legacy=1&dboption_base=cookies&dboption_useold=0&wfu_cookie=wp_wpfileupload_{{upload}}
cookiewfu_storage_{{file}}=/../../../../../etc/passwd[[name]]; wfu_download_ticket_{{ticket}}={{time}}; wfu_ABSPATH=/;
yara
contains(header, "filename=\"passwd\"") AND regex('root:.*:0:0:', body) AND status_code == 200
  • Exploit requests target wfu_file_downloader.php with query parameters handler=dboption, session_legacy=1, dboption_base=cookies, and dboption_useold=0. Monitor HTTP GET requests to this path with these parameters as a strong indicator of exploitation attempts.
  • Path traversal payload is delivered via cookies, specifically wfu_storage_<file> containing a directory traversal sequence (/../../../../../etc/passwd[[name]]) and wfu_ABSPATH set to /. Inspect inbound Cookie headers for these patterns.
  • Successful exploitation is confirmed when the HTTP response contains a Content-Disposition header with filename="passwd" and the body matches root:.*:0:0: (classic /etc/passwd content). Alert on HTTP 200 responses from wfu_file_downloader.php matching these patterns.
  • Shodan/FOFA fingerprint for exposed vulnerable instances: search for http.html containing /wp-content/plugins/wp-file-upload/ to identify internet-facing targets.
  • ·Exploitation requires the target WordPress installation to be running PHP 7.4 or earlier. Sites running PHP 8.0+ are not affected even if the vulnerable plugin version is installed.
  • ·The vulnerability is unauthenticated — no WordPress credentials or session are required to exploit it, making it trivially exploitable at scale.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.