CVE-2024-11635

CRITICAL

WordPress File Upload <4.24.12 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-11635. PoCs published by vigilante-1337.

AI-analyzed exploit summary This repository provides a detailed technical writeup and a safe lab environment for CVE-2024-11635, an unauthenticated RCE vulnerability in WordPress File Upload plugin <= 4.24.12 via the 'wfu_ABSPATH' cookie parameter. It includes a Docker-based lab setup for testing but does not contain functional exploit code.

Description

The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.

Exploits (1)

nomisec WRITEUP
by vigilante-1337 · poc
https://github.com/vigilante-1337/CVE-2024-11635

This repository provides a detailed technical writeup and a safe lab environment for CVE-2024-11635, an unauthenticated RCE vulnerability in WordPress File Upload plugin <= 4.24.12 via the 'wfu_ABSPATH' cookie parameter. It includes a Docker-based lab setup for testing but does not contain functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: WordPress File Upload plugin <= 4.24.12
No auth needed
Prerequisites: Vulnerable WordPress File Upload plugin installed · Access to the target WordPress instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0145
EPSS Percentile 69.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (2)
iptanus/wordpress_file_upload < 4.24.15
nickboss/Iptanus File Upload < 4.24.12
Published Jan 08, 2025
Tracked Since Feb 18, 2026