CVE-2024-11265
📋 TL;DR
This vulnerability in the WordPress 'Increase Maximum Upload File Size' plugin discloses full server path information in error messages when image uploads fail. Authenticated attackers with author-level permissions or higher can exploit this to obtain path information that could aid other attacks. The vulnerability affects all plugin versions up to and including 1.1.3.
💻 Affected Systems
- WordPress Increase Maximum Upload File Size | Increase Execution Time plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers combine path disclosure with another vulnerability (like file inclusion or directory traversal) to achieve remote code execution or sensitive file access.
Likely Case
Attackers gather reconnaissance information about server structure to plan more sophisticated attacks, though no direct compromise occurs from this vulnerability alone.
If Mitigated
Path information is exposed but cannot be leveraged due to lack of other vulnerabilities and proper access controls.
🎯 Exploit Status
Exploitation requires authenticated access and involves triggering image upload errors to receive path disclosure in error messages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3191874/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Increase Maximum Upload File Size | Increase Execution Time'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.1.4+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched version can be installed
Restrict author-level access
allReview and reduce user accounts with author permissions or higher
🧯 If You Can't Patch
- Implement strict access controls to limit author-level permissions to trusted users only
- Monitor logs for unusual upload activity or path disclosure attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Increase Maximum Upload File Size | Increase Execution Time' plugin version. If version is 1.1.3 or lower, system is vulnerable.Check Version:
wp plugin list --name='Increase Maximum Upload File Size | Increase Execution Time' --field=version (if WP-CLI installed)Verify Fix Applied:
After update, verify plugin version shows 1.1.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Failed image upload attempts by authenticated users
- Error logs containing full server path information
Network Indicators:
- HTTP POST requests to upload endpoints with malformed image files
SIEM Query:
source="wordpress.log" AND ("upload failed" OR "path disclosure") AND user_role IN ("author", "editor", "administrator")🔗 References
- https://plugins.trac.wordpress.org/browser/wp-maximum-upload-file-size/tags/1.1.2/inc/class-wmufs-chunk-files.php#L228
- https://plugins.trac.wordpress.org/browser/wp-maximum-upload-file-size/trunk/inc/class-wmufs-chunk-files.php#L247
- https://plugins.trac.wordpress.org/changeset/3191874/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e49e7cdf-93ca-415f-ba83-986cbb869220?source=cve
