CVE-2024-13504
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload malicious dfxp files containing JavaScript that executes automatically when accessed. It affects WordPress sites using the Shared Files plugin up to version 1.7.42 on Apache web servers, where dfxp files are processed by default.
💻 Affected Systems
- Shared Files – Frontend File Upload Form & Secure File Sharing WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers inject malicious scripts that steal user data, display phishing content, or deface the website when users access uploaded dfxp files.
If Mitigated
With proper input validation and output escaping, malicious scripts would be neutralized before execution, preventing any impact.
🎯 Exploit Status
Exploitation requires uploading a malicious dfxp file; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.7.43 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Shared Files' and click 'Update Now'. 4. Verify version is 1.7.43 or higher.
🔧 Temporary Workarounds
Disable dfxp file uploads
allModify plugin settings or server configuration to block dfxp file uploads through the Shared Files plugin.
Switch to Nginx web server
allMigrate from Apache to Nginx, as the vulnerability only affects Apache environments.
🧯 If You Can't Patch
- Disable the Shared Files plugin entirely until patched.
- Implement a web application firewall (WAF) rule to block dfxp file uploads and execution.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Shared Files version; if version is 1.7.42 or lower, the site is vulnerable.Check Version:
wp plugin list --name=shared-files --field=version (if WP-CLI is installed)Verify Fix Applied:
After updating, confirm the plugin version is 1.7.43 or higher in the WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual dfxp file uploads in Apache access logs
- POST requests to file upload endpoints with dfxp content
Network Indicators:
- Inbound traffic with dfxp file uploads to WordPress sites
- Outbound connections triggered by accessing uploaded dfxp files
SIEM Query:
source="apache_access" AND uri="/wp-content/plugins/shared-files/*" AND (file_extension="dfxp" OR content_type="application/ttaf+xml")🔗 References
- https://plugins.trac.wordpress.org/browser/shared-files/tags/1.7.40
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3231372%40shared-files%2Ftrunk&old=3229309%40shared-files%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9f4210a0-5448-4ff6-876a-37db4ad9b23a?source=cve
