CVE-2024-49610
📋 TL;DR
This vulnerability allows attackers to upload arbitrary files, including web shells, to web servers running the vulnerable photokit WordPress plugin. Attackers can achieve remote code execution and full server compromise. All WordPress sites using photokit plugin versions up to 1.0 are affected.
💻 Affected Systems
- WordPress photokit plugin
📦 What is this software?
Photokit by Jackzhu
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with web shell installation leading to data theft, ransomware deployment, or use as attack platform
Likely Case
Web shell upload enabling persistent backdoor access, data exfiltration, and lateral movement within the network
If Mitigated
File upload attempts blocked or logged, with no successful exploitation due to proper file type validation
🎯 Exploit Status
Simple file upload exploitation with publicly available proof-of-concept; trivial for attackers to weaponize
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://patchstack.com/database/vulnerability/photokit/wordpress-photokit-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Remove photokit plugin completely from WordPress installation
2. Delete all plugin files from wp-content/plugins/photokit directory
3. No official patch exists; plugin appears abandoned
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allBlock file uploads to photokit endpoints and detect web shell patterns
File Upload Restrictions
linuxImplement server-side file type validation and restrict upload directories
# Apache: Add to .htaccess
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|php-s|pht|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~ \.(php|phtml|php3|php4|php5|php7|phps|php-s|pht|phar)$ {
deny all;
}
🧯 If You Can't Patch
- Immediately disable or remove the photokit plugin from all WordPress installations
- Implement strict file upload monitoring and alerting for any upload attempts to photokit endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for photokit plugin version 1.0 or earlierCheck Version:
# Check via WordPress CLI
wp plugin list --name=photokit --field=version
# Check via file system
cat /path/to/wordpress/wp-content/plugins/photokit/readme.txt | grep 'Version:'Verify Fix Applied:
Confirm photokit plugin is completely removed from wp-content/plugins directory and not listed in WordPress plugins📡 Detection & Monitoring
Log Indicators:
- File uploads to /wp-content/plugins/photokit/ endpoints
- POST requests with file uploads containing .php, .phtml extensions
- Unusual file creation in upload directories
Network Indicators:
- HTTP POST requests to photokit plugin endpoints with file uploads
- Traffic patterns showing web shell command execution
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/photokit/*" AND http_method="POST") OR (file_extension IN ("php", "phtml", "phar") AND upload_action="true")