CVE-2024-13720 – The WP Image Uploader WordPress plugin allows u... (How to Fix)

Q: What is the severity of CVE-2024-13720?

CVE-2024-13720 has a CVSS score of 8.8 (HIGH). The WP Image Uploader WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation. This vulnerability affects all WordPress sites using WP Image Uploader version 1.0.1 or earlier. Attackers can potentially achieve remote code execution by deleting critical files like wp-config.php.

📋 TL;DR

The WP Image Uploader WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation. This vulnerability affects all WordPress sites using WP Image Uploader version 1.0.1 or earlier. Attackers can potentially achieve remote code execution by deleting critical files like wp-config.php.

💻 Affected Systems

Products:

WP Image Uploader WordPress Plugin

Versions: All versions up to and including 1.0.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with this plugin enabled are vulnerable by default.

📦 What is this software?

Wp Image Uploader by Ivanm

View all CVEs affecting Wp Image Uploader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise via remote code execution, data theft, defacement, or site destruction by deleting critical system files.

🟠

Likely Case

Site disruption or defacement by deleting theme files, configuration files, or uploaded content, potentially leading to downtime.

🟢

If Mitigated

Limited impact if proper file permissions and web application firewalls block exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No authentication required, making exploitation trivial for attackers who discover the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.0.1

Vendor Advisory: https://plugins.trac.wordpress.org/browser/wp-image-uploader/trunk/index.php#L85

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Image Uploader. 4. Click 'Update Now' if update available. 5. If no update, deactivate and delete the plugin immediately.

🔧 Temporary Workarounds

Immediate Plugin Deactivation

WordPress

Deactivate the vulnerable plugin to prevent exploitation while planning permanent fix.

wp plugin deactivate wp-image-uploader

🧯 If You Can't Patch

Deactivate and remove the WP Image Uploader plugin immediately.
Implement web application firewall rules to block requests to the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Image Uploader version 1.0.1 or earlier.

Check Version:

wp plugin get wp-image-uploader --field=version

Verify Fix Applied:

Verify plugin is either updated to version after 1.0.1 or completely removed from the plugins directory.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-content/plugins/wp-image-uploader/ with file deletion parameters
404 errors for critical files like wp-config.php

Network Indicators:

Unusual file deletion requests to the plugin endpoint from unauthenticated sources

SIEM Query:

source="web_server" AND (uri="/wp-content/plugins/wp-image-uploader/" AND method="POST")

📊 Metadata

CVE ID: CVE-2024-13720

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 1.08% exploit probability (77.5th percentile)

Published: January 30, 2025

Last Updated: January 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13720, you might also want to check these: