CVE-2024-13494 – This CSRF vulnerability in WordPress File Uploa... (How to Fix)

Q: What is the severity of CVE-2024-13494?

CVE-2024-13494 has a CVSS score of 4.3 (MEDIUM). This CSRF vulnerability in WordPress File Upload plugin allows attackers to modify user data details for uploaded files by tricking administrators into clicking malicious links. All WordPress sites using this plugin up to version 4.25.2 are affected. Attackers can alter file metadata without authentication through forged requests.

📋 TL;DR

This CSRF vulnerability in WordPress File Upload plugin allows attackers to modify user data details for uploaded files by tricking administrators into clicking malicious links. All WordPress sites using this plugin up to version 4.25.2 are affected. Attackers can alter file metadata without authentication through forged requests.

💻 Affected Systems

Products:

WordPress File Upload plugin

Versions: All versions up to and including 4.25.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with vulnerable plugin version. Only affects sites where administrators can be tricked into clicking malicious links.

📦 What is this software?

Wordpress File Upload by Iptanus

View all CVEs affecting Wordpress File Upload →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify critical file metadata, potentially enabling data manipulation, unauthorized file access, or facilitating further attacks by altering file permissions or ownership details.

🟠

Likely Case

Attackers modify file metadata to mislabel files, create confusion, or prepare for social engineering attacks by making malicious files appear legitimate.

🟢

If Mitigated

With proper CSRF protections and user awareness, impact is minimal as it requires administrator interaction and only affects file metadata, not file content.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CSRF attacks are well-understood and easy to implement. Exploitation requires social engineering to trick administrators.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.25.3 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3241028/wp-file-upload

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WordPress File Upload' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.25.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate wp-file-upload

🧯 If You Can't Patch

Implement CSRF tokens manually in WordPress admin area
Restrict administrator access to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'WordPress File Upload' version ≤4.25.2

Check Version:

wp plugin get wp-file-upload --field=version

Verify Fix Applied:

Verify plugin version is 4.25.3 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with wfu_file_details action
Multiple file metadata modification requests from same IP

Network Indicators:

CSRF payloads in HTTP requests targeting admin endpoints
Suspicious referrer headers in admin area requests

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND action="wfu_file_details")

📊 Metadata

CVE ID: CVE-2024-13494

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

EPSS Score: 0.06% exploit probability (18.8th percentile)

Published: February 25, 2025

Last Updated: February 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13494, you might also want to check these: