CVE-2024-13494

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-13494
The WordPress File Upload plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.25.2. This is due to missing or incorrect nonce validation on the 'wfu_file_details' function. This makes it possible for unauthenticated attackers to modify user data details associated with uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/changeset/3241028/wp-file-upload Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/595a6ab3-0731-4ef4-a385-5dfebbd917f4?source=cve Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:iptanus:wordpress_file_upload:*:*:*:*:*:wordpress:*:*
History

28 Feb 2025, 01:30

Type Values Removed Values Added
CPE cpe:2.3:a:iptanus:wordpress_file_upload:*:*:*:*:*:wordpress:*:*
First Time Iptanus
Iptanus wordpress File Upload
Summary
  • (es) El complemento WordPress File Upload para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 4.25.2 incluida. Esto se debe a la falta o la validación incorrecta de nonce en la función 'wfu_file_details'. Esto hace posible que atacantes no autenticados modifiquen los detalles de los datos de usuario asociados con los archivos cargados a través de una solicitud falsificada, siempre que puedan engañar a un administrador del sitio para que realice una acción como hacer clic en un enlace.
References () https://plugins.trac.wordpress.org/changeset/3241028/wp-file-upload - () https://plugins.trac.wordpress.org/changeset/3241028/wp-file-upload - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/595a6ab3-0731-4ef4-a385-5dfebbd917f4?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/595a6ab3-0731-4ef4-a385-5dfebbd917f4?source=cve - Third Party Advisory

25 Feb 2025, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-25 08:15

Updated : 2025-02-28 01:30

NVD link : CVE-2024-13494

Mitre link : CVE-2024-13494

CVE.ORG link : CVE-2024-13494

JSON object : View

Products Affected

iptanus

  • wordpress_file_upload
CWE
CWE-352

Cross-Site Request Forgery (CSRF)