CVE-2024-11150 – The WordPress User Extra Fields plugin contains... (How to Fix)

📋 TL;DR

The WordPress User Extra Fields plugin contains an arbitrary file deletion vulnerability that allows unauthenticated attackers to delete any file on the server. This affects all WordPress sites using the plugin version 16.6 or earlier. Successful exploitation can lead to complete site compromise through remote code execution.

💻 Affected Systems

Products:

WordPress User Extra Fields plugin

Versions: All versions up to and including 16.6

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with the vulnerable plugin are affected regardless of configuration.

📦 What is this software?

User Extra Fields by Vanquish

View all CVEs affecting User Extra Fields →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover via deletion of wp-config.php leading to database credential exposure, followed by remote code execution and potential server compromise.

🟠

Likely Case

Site defacement or denial of service through deletion of critical WordPress files, potentially leading to data loss and business disruption.

🟢

If Mitigated

Limited impact if proper file permissions and web application firewalls are in place, though the vulnerability remains exploitable.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and has simple exploitation path via crafted HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.7 or later

Vendor Advisory: https://codecanyon.net/item/user-extra-fields/12949844

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'User Extra Fields' plugin
4. Click 'Update Now' if update is available
5. If no update appears, manually download version 16.7+ from CodeCanyon and replace plugin files

🔧 Temporary Workarounds

Disable plugin immediately

all

Temporarily disable the vulnerable plugin to prevent exploitation

wp plugin deactivate user-extra-fields

Web Application Firewall rule

all

Block requests to the vulnerable delete_tmp_uploaded_file() function

Add WAF rule to block POST requests containing 'delete_tmp_uploaded_file' in URL or parameters

🧯 If You Can't Patch

Remove the plugin entirely from the WordPress installation
Implement strict file permissions (chmod 644 for files, 755 for directories) and disable PHP execution in upload directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → User Extra Fields → Version number. If version is 16.6 or lower, you are vulnerable.

Check Version:

wp plugin get user-extra-fields --field=version

Verify Fix Applied:

Verify plugin version is 16.7 or higher in WordPress admin panel and test that delete functionality no longer accepts arbitrary file paths.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to */wp-content/plugins/user-extra-fields/* containing file deletion parameters
404 errors for critical files like wp-config.php

Network Indicators:

Unusual POST requests to plugin endpoints from unauthenticated sources
Multiple file deletion attempts in short timeframes

SIEM Query:

source="web_server" AND (uri_path="*user-extra-fields*" AND method="POST" AND (param="delete_tmp_uploaded_file" OR param="file_path"))

📊 Metadata

CVE ID: CVE-2024-11150

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: November 13, 2024

Last Updated: November 19, 2024

🔗 References

https://codecanyon.net/item/user-extra-fields/12949844 Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/ad39d797-9230-41d9-a335-864845b56aa0?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11150, you might also want to check these: