CVE-2024-29135 – This vulnerability allows attackers to upload a... (How to Fix)

Q: What is the severity of CVE-2024-29135?

CVE-2024-29135 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows attackers to upload arbitrary files to WordPress sites running the Tourfic plugin, potentially leading to remote code execution. It affects all Tourfic plugin versions up to 2.11.15. WordPress administrators using vulnerable Tourfic versions are at risk.

📋 TL;DR

This vulnerability allows attackers to upload arbitrary files to WordPress sites running the Tourfic plugin, potentially leading to remote code execution. It affects all Tourfic plugin versions up to 2.11.15. WordPress administrators using vulnerable Tourfic versions are at risk.

💻 Affected Systems

Products:

Tourfic WordPress Plugin

Versions: n/a through 2.11.15

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with Tourfic plugin enabled, regardless of configuration.

📦 What is this software?

Tourfic by Themefic

View all CVEs affecting Tourfic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via web shell upload leading to data theft, ransomware deployment, or site defacement.

🟠

Likely Case

Web shell upload enabling backdoor access, file manipulation, and potential privilege escalation.

🟢

If Mitigated

File upload attempts blocked or logged with no successful exploitation.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal WordPress sites could still be targeted via phishing or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access (likely authenticated), but the vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.16 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/tourfic/wordpress-tourfic-plugin-2-11-15-arbitrary-file-upload-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Tourfic plugin. 4. Click 'Update Now' if update available. 5. If no update available, download version 2.11.16+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Tourfic Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate tourfic

Restrict File Uploads via .htaccess

linux

Block execution of uploaded files in wp-content/uploads directory.

Add to .htaccess in wp-content/uploads: <Files *.php> deny from all </Files>

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block malicious file uploads.
Restrict file upload permissions and implement file type validation at the server level.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Tourfic version. If version is 2.11.15 or lower, you are vulnerable.

Check Version:

wp plugin get tourfic --field=version

Verify Fix Applied:

Verify Tourfic plugin version is 2.11.16 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to wp-content/uploads, especially .php, .phtml, .phar files
POST requests to Tourfic plugin endpoints with file upload parameters

Network Indicators:

HTTP POST requests with file uploads to /wp-content/plugins/tourfic/ endpoints

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/tourfic/*" AND method="POST" AND (file_extension="php" OR file_extension="phtml" OR file_extension="phar"))

📊 Metadata

CVE ID: CVE-2024-29135

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: March 19, 2024

Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29135, you might also want to check these: