CVE-2024-13707
📋 TL;DR
This CSRF vulnerability in WP Image Uploader plugin allows unauthenticated attackers to delete arbitrary files on WordPress sites by tricking administrators into clicking malicious links. All WordPress sites using WP Image Uploader version 1.0.1 or earlier are affected. Attackers can exploit this without authentication if they can manipulate an administrator's actions.
💻 Affected Systems
- WP Image Uploader WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through deletion of critical WordPress files, leading to site unavailability, data loss, or privilege escalation via file manipulation.
Likely Case
Selective file deletion causing site functionality disruption, defacement, or data loss of uploaded images and media.
If Mitigated
No impact if proper CSRF protections are implemented or plugin is updated/disabled.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated administrator into performing action. No authentication needed for the attack itself once the action is triggered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.0.1
Vendor Advisory: https://plugins.trac.wordpress.org/browser/wp-image-uploader/trunk/index.php#L85
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Locate WP Image Uploader. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable WP Image Uploader Plugin
WordPressTemporarily deactivate the vulnerable plugin until patched version is available
wp plugin deactivate wp-image-uploader
🧯 If You Can't Patch
- Remove WP Image Uploader plugin completely from the WordPress installation
- Implement web application firewall rules to block requests to gky_image_uploader_main_function()
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WP Image Uploader version 1.0.1 or earlierCheck Version:
wp plugin get wp-image-uploader --field=versionVerify Fix Applied:
Verify WP Image Uploader is either updated to version after 1.0.1 or completely removed from plugins directory📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to wp-admin/admin-ajax.php with action=gky_image_uploader_main_function
- File deletion events in WordPress uploads directory without corresponding admin actions
Network Indicators:
- Unexpected file deletion requests originating from non-admin user sessions
- CSRF payloads targeting admin-ajax.php endpoint
SIEM Query:
source="wordpress.log" AND "gky_image_uploader_main_function" AND ("DELETE" OR "unlink")