漏洞描述
WordPress File Upload插件是一款WordPress网站的实用插件,它允许用户地将文件上传到wp-contents目录, 插件支持自定义字段,同时,它还提供了进度条监视功能,让用户可以实时了解上传进度。WordPress File Upload 插件在 <= 4.24.11 版本中,wfu_file_downloader.php 文件存在任意文件读取漏洞。攻击者可以通过构造恶意请求读取服务器上的任意文件,可能导致敏感信息泄露或进一步的攻击。
WordPress File Upload 插件 /wfu_file_downloader.php 文件读取漏洞(CVE-2024-9047)
PoC代码
暂无相关漏洞推荐
- POC CVE-2017-14725: WordPress < 4.8.2 - Authenticated Open Redirect
- POC CVE-2017-17092: WordPress < 4.9.1 - Authenticated JavaScript File Upload
- POC CVE-2021-4449: ZoomSounds Plugin - Unauthenticated Arbitrary File Upload
- POC wp-security-hidden-login-exposure: WordPress All-in-One Security <=4.4.1 - Hidden Login Page Exposure
- WordPress Kognetiks Chatbot for WordPress <= 2.0.0 任意文件上传漏洞
- WordPress Verbalize WP 存在任意文件上传漏洞(CVE-2024-49668)
- POC CVE-2021-4374: WordPress Automatic Plugin - Unauthenticated Options Change
- POC CVE-2025-11749: WordPress AI Engine Plugin - Token Exposure
- WordPress WooCommerce Designer Pro 插件 /wp-admin/admin-ajax.php wcdp_save_canvas_design_ajax 文件上传漏洞(CVE-2025-6440)
- POC CVE-2025-4302: Stop User Enumeration WordPress plugin - Authentication Bypass
- 锐明技术Crocus系统 DeviceFileUpload.do 任意文件读取漏洞
- POC CVE-2025-64095: DNN - Unrestricted Arbitrary File Upload
- WordPress Google for WooCommerce /wp-content/plugins/google-listings-and-ads/vendor/googleads/google-ads-php/scripts/print_php_information.php 信息泄露漏洞(CVE-2024-10486)