CVE-2024-24714 – This vulnerability allows attackers to upload a... (How to Fix)

Q: What is the severity of CVE-2024-24714?

CVE-2024-24714 has a CVSS score of 7.2 (HIGH). This vulnerability allows attackers to upload arbitrary files to WordPress sites using the Icons Font Loader plugin. It affects all WordPress installations with the plugin versions up to 1.1.4. Attackers can upload malicious files including PHP scripts to gain unauthorized access.

📋 TL;DR

This vulnerability allows attackers to upload arbitrary files to WordPress sites using the Icons Font Loader plugin. It affects all WordPress installations with the plugin versions up to 1.1.4. Attackers can upload malicious files including PHP scripts to gain unauthorized access.

💻 Affected Systems

Products:

WordPress Icons Font Loader plugin by bPlugins LLC

Versions: All versions up to and including 1.1.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions enabled.

📦 What is this software?

Icons Font Loader by Bplugins

View all CVEs affecting Icons Font Loader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to internal networks.

🟠

Likely Case

Website defacement, malware distribution, credential theft, or unauthorized administrative access to the WordPress site.

🟢

If Mitigated

Limited impact if file uploads are restricted at web server level or if the vulnerable plugin is disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and is straightforward due to unrestricted file upload functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.5 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/icons-font-loader/wordpress-icons-font-loader-plugin-1-1-4-arbitrary-file-upload-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Icons Font Loader. 4. Click Update Now if available. 5. Alternatively, download version 1.1.5+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Icons Font Loader plugin until patched.

wp plugin deactivate icons-font-loader

Restrict file uploads via .htaccess

linux

Block upload of executable files in WordPress upload directory.

<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Remove the Icons Font Loader plugin completely from the WordPress installation.
Implement web application firewall rules to block file upload requests to the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Icons Font Loader version. If version is 1.1.4 or lower, system is vulnerable.

Check Version:

wp plugin get icons-font-loader --field=version

Verify Fix Applied:

Verify plugin version is 1.1.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /wp-content/plugins/icons-font-loader/
POST requests to plugin upload endpoints with executable file extensions
404 errors for unexpected PHP files in upload directories

Network Indicators:

HTTP POST requests to /wp-content/plugins/icons-font-loader/upload.php or similar endpoints
Uploads of files with .php, .exe, or other executable extensions

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/icons-font-loader/" AND method="POST") AND (file_extension="php" OR file_extension="exe" OR file_extension="sh")

📊 Metadata

CVE ID: CVE-2024-24714

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: February 26, 2024

Last Updated: April 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24714, you might also want to check these: