CVE-2024-13117

6.5 MEDIUM

📋 TL;DR

The Social Share Buttons for WordPress plugin through version 2.7 contains an unauthenticated file upload vulnerability. This allows attackers without credentials to upload arbitrary image files and control where they're stored on the server. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

• Social Share Buttons for WordPress

Versions: All versions through 2.7

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default plugin configuration. No special configuration required for exploitation.

📦 What is this software?

Share Buttons by Artlosk

View all CVEs affecting Share Buttons →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could upload malicious PHP files disguised as images, achieve remote code execution, and take full control of the WordPress server.

🟠

Likely Case

Attackers upload malicious images for phishing campaigns, deface websites, or use server resources for hosting malicious content.

🟢

If Mitigated

If proper file type validation and authentication checks are in place, impact is limited to potential storage abuse.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

WPScan provides technical details and proof-of-concept. The vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.8 or later

Vendor Advisory: https://wpscan.com/vulnerability/3234cdac-f328-4f1e-a1de-31fbd86aefb9/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Social Share Buttons' and click 'Update Now'. 4. Verify plugin version is 2.8 or higher.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Social Share Buttons plugin until patched

Copy

wp plugin deactivate social-share-buttons

Restrict file uploads via .htaccess

linux

Block image uploads to the vulnerable upload directory

Copy

# Add to .htaccess in uploads directory:
<FilesMatch "\.(php|php5|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>

🧯 If You Can't Patch

• Implement web application firewall (WAF) rules to block unauthenticated file upload requests
• Monitor upload directories for suspicious files and implement file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin panel → Plugins → Social Share Buttons version. If version is 2.7 or lower, you are vulnerable.

Check Version:

Copy

wp plugin get social-share-buttons --field=version

Verify Fix Applied:

Copy

Verify plugin version is 2.8 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

• Unusual POST requests to /wp-content/plugins/social-share-buttons/ upload endpoints
• Multiple image uploads from single IP addresses
• Uploads of files with double extensions (.jpg.php)

Network Indicators:

• HTTP POST requests to plugin upload endpoints without authentication headers
• Uploads of files larger than typical images

SIEM Query:

Copy

source="web_server" AND (uri_path="/wp-content/plugins/social-share-buttons/" AND method="POST") AND NOT user_agent="WordPress/*"

📊 Metadata

CVE ID: CVE-2024-13117

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Score: 0.3% exploit probability (52.4th percentile)

Published: January 27, 2025

Last Updated: May 13, 2025

🔗 References

• https://wpscan.com/vulnerability/3234cdac-f328-4f1e-a1de-31fbd86aefb9/ Exploit,Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON