WordPress File Upload Plugin CVE-2024-11613 RCE via MIME Bypass

Vulnerability Overview This document discusses a new Remote Code Execution (RCE) vulnerability (CVE-2024-11613) introduced by the WordPress File Upload plugin after patching CVE-2024-9939 and CVE-2024-11635. The vendor attempted to eliminate cookie-based inputs by reading from temporary files; however, this approach introduced risks of path traversal and arbitrary file deletion. Furthermore, despite the plugin implementing strict MIME type checks, attackers can bypass these checks by crafting "junk" files containing valid JSON payloads padded with excessive whitespace characters (such as spaces, tabs, etc.). This allows the upload of PHP files to achieve RCE. Scope of Impact Plugin Name: WordPress File Upload Affected Versions: 4.24.14 - 4.24.15 Remediation and Technical Details 1. Vendor Remediation Attempt: The vendor attempted to replace the previous cookie-based input mechanism by reading data from temporary files via the function. 2. New Vulnerability Vectors: Arbitrary File Deletion: The parameter within is not sanitized, allowing attackers to traverse directories and delete arbitrary files. MIME Type Bypass: Although the hook includes multiple checks (DoS checks, filename checks, PHP tag checks, and file size checks), the final function only accepts MIME types from a default whitelist (which does not include ). Exploitation Method: Attackers construct a large file containing a valid JSON payload, padding it with significant "junk" data (e.g., spaces, tabs, newlines) to disguise it as a or file. Since the function is lenient regarding formatting, the file can be parsed, bypassing the MIME type check and allowing the upload of a PHP payload. Key Code Snippets 1. PHP Vulnerable Code Snippet (wfu_read_downloader_data) 2. PHP Vulnerable Code Snippet (wfu_download_file) 3. PHP Vulnerable Code Snippet (wfu_update_download_status) 4. Python POC Code (create_large_junk_json_file)**

Goal Reached Thanks to every supporter — we hit 100%!

WordPress File Upload Plugin CVE-2024-11613 RCE via MIME Bypass