Login Sign Up

CVE-2021-24962

8.8 HIGH
Remote Code Execution Path Traversal

📋 TL;DR

This vulnerability in WordPress File Upload plugins allows users with Contributor role or higher to perform path traversal attacks via shortcode arguments. Attackers can upload PHP code disguised as images to auto-loaded directories, leading to arbitrary code execution on affected WordPress sites.

💻 Affected Systems

Products:
  • WordPress File Upload Free
  • WordPress File Upload Pro
Versions: All versions before 4.16.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin enabled and at least one user with Contributor role or higher.

📦 What is this software?

Wordpress File Upload by Iptanus

View all CVEs affecting Wordpress File Upload →

Wordpress File Upload Pro by Iptanus

View all CVEs affecting Wordpress File Upload Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary code, steal data, install backdoors, or pivot to other systems.

🟠

Likely Case

Website defacement, data theft, malware distribution, or unauthorized administrative access to the WordPress installation.

🟢

If Mitigated

Limited impact if proper file upload restrictions and user role permissions are enforced.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user with at least Contributor role. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16.3

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2677722

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WordPress File Upload' plugin. 4. Click 'Update Now' if available, or download version 4.16.3+ from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the WordPress File Upload plugin until patched

wp plugin deactivate wordpress-file-upload

Restrict user roles

all

Temporarily remove Contributor role permissions or restrict file upload capabilities

🧯 If You Can't Patch

  • Implement strict file upload validation to block PHP files disguised as images
  • Apply web application firewall rules to detect and block path traversal attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → WordPress File Upload version. If version is below 4.16.3, system is vulnerable.

Check Version:

wp plugin get wordpress-file-upload --field=version

Verify Fix Applied:

Confirm plugin version is 4.16.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to wp-content/uploads/wp-file-upload directory
  • PHP file execution from upload directories
  • Path traversal patterns in HTTP requests

Network Indicators:

  • POST requests with suspicious file upload parameters
  • Requests containing '../' patterns in file paths

SIEM Query:

source="wordpress.log" AND ("path traversal" OR "../" OR "wp-file-upload")

📊 Metadata

CVE ID: CVE-2021-24962
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: March 28, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24962, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)