CVE-2024-9047 – The WordPress File Upload plugin has a path tra... (How to Fix)

Q: What is the severity of CVE-2024-9047?

CVE-2024-9047 has a CVSS score of 9.8 (CRITICAL). The WordPress File Upload plugin has a path traversal vulnerability in wfu_file_downloader.php that allows unauthenticated attackers to read or delete files outside intended directories. This affects all WordPress sites using the plugin version 4.24.11 or earlier with PHP 7.4 or older. The vulnerability is critical with a CVSS score of 9.8.

📋 TL;DR

The WordPress File Upload plugin has a path traversal vulnerability in wfu_file_downloader.php that allows unauthenticated attackers to read or delete files outside intended directories. This affects all WordPress sites using the plugin version 4.24.11 or earlier with PHP 7.4 or older. The vulnerability is critical with a CVSS score of 9.8.

💻 Affected Systems

Products:

WordPress File Upload plugin

Versions: All versions up to and including 4.24.11

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PHP 7.4 or earlier; PHP 8.0+ installations are not vulnerable.

📦 What is this software?

Wordpress File Upload by Iptanus

View all CVEs affecting Wordpress File Upload →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive files like wp-config.php containing database credentials, delete critical system files causing site disruption, or access other user data leading to complete site compromise.

🟠

Likely Case

Attackers will likely read configuration files to steal database credentials and gain administrative access to the WordPress installation.

🟢

If Mitigated

With proper file permissions and PHP 8.0+, exploitation would fail or be limited to non-critical files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests with directory traversal sequences can exploit this vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.24.12

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3164449/wp-file-upload

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'WordPress File Upload' and click 'Update Now'. 4. Verify version is 4.24.12 or higher.

🔧 Temporary Workarounds

Upgrade PHP Version

linux

Upgrade to PHP 8.0 or higher since the vulnerability only affects PHP 7.4 and earlier.

sudo apt update && sudo apt install php8.0
sudo systemctl restart apache2

Disable Plugin

all

Temporarily disable the WordPress File Upload plugin until patched.

wp plugin deactivate wp-file-upload

🧯 If You Can't Patch

Block access to wfu_file_downloader.php via web server configuration or WAF rules.
Implement strict file permissions (644 for files, 755 for directories) to limit damage.

🔍 How to Verify

Check if Vulnerable:

Check if WordPress File Upload plugin version is 4.24.11 or lower and PHP version is 7.4 or earlier.

Check Version:

wp plugin get wp-file-upload --field=version

Verify Fix Applied:

Verify plugin version is 4.24.12 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /wp-content/plugins/wp-file-upload/wfu_file_downloader.php with ../ sequences
Unusual file access patterns in PHP error logs

Network Indicators:

HTTP GET requests with directory traversal payloads to the vulnerable endpoint

SIEM Query:

source="web_access.log" AND uri="*wfu_file_downloader.php*" AND (uri="*../*" OR uri="*..%2f*")

📊 Metadata

CVE ID: CVE-2024-9047

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: October 12, 2024

Last Updated: March 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9047, you might also want to check these: