CVE-2024-7301 – The WordPress File Upload plugin versions up to... (How to Fix)

Q: What is the severity of CVE-2024-7301?

CVE-2024-7301 has a CVSS score of 7.2 (HIGH). The WordPress File Upload plugin versions up to 4.24.8 contain a stored cross-site scripting vulnerability in SVG file uploads. Unauthenticated attackers can upload malicious SVG files containing JavaScript that executes when users view the files. This affects all WordPress sites using vulnerable versions of this plugin.

📋 TL;DR

The WordPress File Upload plugin versions up to 4.24.8 contain a stored cross-site scripting vulnerability in SVG file uploads. Unauthenticated attackers can upload malicious SVG files containing JavaScript that executes when users view the files. This affects all WordPress sites using vulnerable versions of this plugin.

💻 Affected Systems

Products:

WordPress File Upload plugin

Versions: All versions up to and including 4.24.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when SVG uploads are enabled (default configuration).

📦 What is this software?

Wordpress File Upload by Iptanus

View all CVEs affecting Wordpress File Upload →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, redirect users to malicious sites, deface websites, or perform actions as authenticated users if combined with other vulnerabilities.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies, redirect visitors to phishing sites, or display unwanted content.

🟢

If Mitigated

With proper content security policies and file upload restrictions, impact is limited to potential defacement or limited data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only uploading a malicious SVG file. Public proof-of-concept exists in vulnerability references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.24.9 and later

Vendor Advisory: https://wordpress.org/plugins/wp-file-upload/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WordPress File Upload' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 4.24.9+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable SVG uploads

all

Configure plugin to block SVG file uploads entirely

Navigate to WordPress File Upload settings → Basic Settings → Allowed File Extensions → Remove 'svg' from list

Implement Content Security Policy

all

Add CSP headers to prevent script execution from uploaded files

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or use WordPress security plugin to implement CSP

🧯 If You Can't Patch

Temporarily disable the WordPress File Upload plugin
Implement web application firewall rules to block SVG uploads containing script tags

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins → Installed Plugins. If version is 4.24.8 or lower, system is vulnerable.

Check Version:

wp plugin list --name='wp-file-upload' --field=version (if WP-CLI installed)

Verify Fix Applied:

After updating, verify plugin version shows 4.24.9 or higher. Test SVG upload functionality to ensure scripts are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Multiple SVG file uploads from single IP
SVG files containing script tags in upload logs
Unusual file upload patterns

Network Indicators:

POST requests to /wp-content/plugins/wp-file-upload/ with SVG files
SVG files with embedded JavaScript in upload traffic

SIEM Query:

source="wordpress" AND (uri_path="*wp-file-upload*" OR file_type="svg") AND (http_method="POST" OR http_method="PUT")

📊 Metadata

CVE ID: CVE-2024-7301

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: August 16, 2024

Last Updated: March 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7301, you might also want to check these: