CVE-2024-11635

high-risk

Published 2025-01-08

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.

Do I need to act?

19.6% chance of exploitation in next 30 days

EPSS score — higher than 80% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Wordpress File Upload

Affected Vendors

Iptanus

References (3)

https://abrahack.com/posts/wp-file-upload-rce-part1/

Product https://plugins.svn.wordpress.org/wp-file-upload/trunk/wfu_file_downloader.php

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/b5165f60-6515-4a2c-a12...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 14/34 · Moderate

Exposure 5/34 · Minimal