CVE-2024-5853
📋 TL;DR
The Sirv WordPress plugin (versions up to 7.2.6) allows authenticated attackers with Contributor-level access or higher to upload arbitrary files due to missing file type validation. This vulnerability can lead to remote code execution by uploading malicious files like PHP shells. All WordPress sites using vulnerable Sirv plugin versions are affected.
💻 Affected Systems
- Image Optimizer, Resizer and CDN – Sirv WordPress plugin
📦 What is this software?
Sirv by Sirv
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, malware distribution, or server takeover.
Likely Case
Attackers upload web shells to gain persistent access, deface websites, or install backdoors for further exploitation.
If Mitigated
With proper file upload restrictions and user role management, impact limited to unauthorized file storage without execution.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.7
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3103410/sirv/trunk/sirv.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Sirv' plugin. 4. Click 'Update Now' if available, or manually update to version 7.2.7+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the sirv_upload_file_by_chanks AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_sirv_upload_file_by_chanks', 'sirv_upload_file_by_chanks'); remove_action('wp_ajax_nopriv_sirv_upload_file_by_chanks', 'sirv_upload_file_by_chanks');
Restrict file uploads via .htaccess
linuxBlock execution of uploaded files in upload directories
Add to .htaccess in wp-content/uploads: <FilesMatch "\.(php|php5|php7|phtml|phar)$"> Order Allow,Deny Deny from all </FilesMatch>
🧯 If You Can't Patch
- Temporarily disable the Sirv plugin until patching is possible
- Restrict Contributor and higher role access; review user accounts for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Sirv version ≤7.2.6Check Version:
wp plugin list --name=sirv --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm Sirv plugin version is 7.2.7 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=sirv_upload_file_by_chanks
- File uploads to unexpected locations in wp-content/uploads
- Unauthorized PHP file creation in upload directories
Network Indicators:
- Unusual AJAX requests from authenticated users to upload endpoints
- Traffic patterns suggesting file upload exploitation
SIEM Query:
source="web_server" AND uri="/wp-admin/admin-ajax.php" AND post_data="action=sirv_upload_file_by_chanks"🔗 References
- https://plugins.trac.wordpress.org/changeset/3103410/sirv/trunk/sirv.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e89b40ec-1952-46e3-a91b-bd38e62f8929?source=cve
- https://plugins.trac.wordpress.org/changeset/3103410/sirv/trunk/sirv.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e89b40ec-1952-46e3-a91b-bd38e62f8929?source=cve
