CVE-2024-11613

CRITICAL

WordPress File Upload <4.24.15 - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-11613. PoCs published by Sachinart.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-11613, targeting the WordPress File Upload plugin. The exploit leverages improper sanitization of the 'source' parameter to achieve unauthenticated remote code execution, arbitrary file read, and arbitrary file deletion.

Description

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. This is due to lack of proper sanitization of the 'source' parameter and allowing a user-defined directory path. This makes it possible for unauthenticated attackers to execute code on the server.

Exploits (1)

nomisec WORKING POC 4 stars

by Sachinart · poc

https://github.com/Sachinart/CVE-2024-11613-wp-file-upload

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-11613, targeting the WordPress File Upload plugin. The exploit leverages improper sanitization of the 'source' parameter to achieve unauthenticated remote code execution, arbitrary file read, and arbitrary file deletion.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress File Upload plugin <= 4.24.15

No auth needed

Prerequisites: Target must have the vulnerable WordPress File Upload plugin installed and activated · Plugin version must be <= 4.24.15

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

https://abrahack.com/posts/wp-file-upload-rce-part2/

Product

https://plugins.svn.wordpress.org/wp-file-upload/trunk/wfu_file_downloader.php

Patch

https://plugins.trac.wordpress.org/changeset/3217005/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/31052fe6-a0ae-4502-b2d2-dbc3b3bf672f?source=cve

Scores

CVSS v3 9.8

EPSS 0.0435

EPSS Percentile 90.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

iptanus/wordpress_file_upload < 4.25.0

nickboss/Iptanus File Upload < 4.24.15

Published Jan 08, 2025

Tracked Since Feb 18, 2026