CVE-2024-50529
📋 TL;DR
This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress servers running the Rudra Innovative Software Training – Courses plugin. Attackers can gain full control of affected websites. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WordPress Training – Courses plugin by Rudra Innovative Software
📦 What is this software?
Training Courses by Rudrainnovative
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, or use as part of a botnet.
Likely Case
Website defacement, data exfiltration, and installation of backdoors for persistent access.
If Mitigated
Limited impact if file uploads are restricted at web server level or WAF blocks malicious uploads.
🎯 Exploit Status
Simple HTTP POST request with malicious file upload can exploit this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.2 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/training/wordpress-training-courses-plugin-2-0-1-arbitrary-file-upload-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find 'Training – Courses' plugin
4. Click 'Update Now' if available
5. If no update available, deactivate and delete plugin immediately
🔧 Temporary Workarounds
Disable plugin
allDeactivate and remove vulnerable plugin
wp plugin deactivate training
wp plugin delete training
Restrict file uploads via .htaccess
linuxBlock PHP file uploads to plugin directories
<FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Immediately deactivate and remove the Training – Courses plugin from all WordPress installations.
- Implement web application firewall (WAF) rules to block file uploads to the affected plugin endpoints.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Training – Courses for version 2.0.1 or earlier.Check Version:
wp plugin get training --field=versionVerify Fix Applied:
Verify plugin version is 2.0.2 or later, or confirm plugin is completely removed.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/plugins/training/ upload endpoints
- Unusual file uploads with .php, .phtml, or other executable extensions
- Files created in plugin directories with suspicious names
Network Indicators:
- POST requests to training plugin upload endpoints with file attachments
- Unusual outbound connections from web server after file upload
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/training/*" AND method="POST") AND (file_extension="php" OR file_extension="phtml" OR file_extension="phar")