CVE-2024-13418
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to upload arbitrary files through vulnerable plugins/themes. This can lead to remote code execution on affected WordPress sites. Sites using specific vulnerable themes/plugins from Envato are affected.
💻 Affected Systems
- Beyot WordPress Real Estate Theme
- Other unspecified Envato plugins/themes
📦 What is this software?
April by G5plus
Auteur by G5plus
Benaa by G5plus
Beyot by G5plus
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, data theft, site defacement, and malware distribution.
Likely Case
Unauthorized file upload leading to backdoor installation, limited data access, and potential privilege escalation.
If Mitigated
File upload attempts logged and blocked, no code execution possible.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Subscriber accounts are easy to obtain.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest versions from Envato (partially patched)
Vendor Advisory: https://themeforest.net/item/beyot-wordpress-real-estate-theme/19514964
Restart Required: No
Instructions:
1. Update all Envato plugins/themes to latest versions. 2. Verify patches are complete. 3. Remove any suspicious uploaded files.
🔧 Temporary Workarounds
Disable vulnerable functionality
allRemove or disable the ajaxUploadFonts() function in affected plugins/themes
Edit plugin/theme files to comment out or remove ajaxUploadFonts function
Restrict file uploads
linuxConfigure web server to block uploads to vulnerable endpoints
Add location block in nginx: location ~* /wp-admin/admin-ajax.php { deny all; }
Add Directory block in Apache: <Directory /wp-content/uploads> php_flag engine off </Directory>
🧯 If You Can't Patch
- Implement strict file upload validation at web application firewall level
- Monitor and alert on suspicious file uploads to /wp-content/uploads/ directory
🔍 How to Verify
Check if Vulnerable:
Check if using Beyot theme or other Envato products. Review plugin/theme code for ajaxUploadFonts() function without proper capability checks.Check Version:
Check WordPress admin panel for plugin/theme versions or use: wp plugin list --field=name,versionVerify Fix Applied:
Test authenticated file upload functionality. Verify capability checks are implemented in ajaxUploadFonts().📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=ajaxUploadFonts
- File uploads to unusual locations in /wp-content/uploads/
- Multiple failed upload attempts from single user
Network Indicators:
- Unusual file upload traffic patterns
- POST requests with font/file upload parameters to admin-ajax.php
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="ajaxUploadFonts"