CVE-2024-13011 Overview
The WP Foodbakery plugin for WordPress contains a critical arbitrary file upload vulnerability in the upload_publisher_profile_image function. Due to insufficient file type validation in versions up to and including 4.7, unauthenticated attackers can upload arbitrary files to the affected site's server, potentially leading to remote code execution.
Critical Impact
Unauthenticated attackers can upload malicious files including web shells, enabling complete server compromise and remote code execution without any authentication required.
Affected Products
- WP Foodbakery plugin for WordPress versions up to and including 4.7
- WordPress sites using the Food Bakery theme with the vulnerable plugin
Discovery Timeline
- 2025-02-10 - CVE-2024-13011 published to NVD
- 2025-02-10 - Last updated in NVD database
Technical Details for CVE-2024-13011
Vulnerability Analysis
This vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type. The upload_publisher_profile_image function in the WP Foodbakery plugin fails to properly validate the type of files being uploaded by users. This missing validation allows attackers to bypass intended security restrictions and upload executable files such as PHP web shells directly to the server.
The attack requires no authentication, meaning any remote attacker with network access to the WordPress site can exploit this vulnerability. Upon successful exploitation, the attacker can execute arbitrary code on the server with the privileges of the web server process, potentially leading to complete site takeover, data theft, or use of the server as a pivot point for further attacks.
Root Cause
The root cause lies in the insufficient file type validation within the upload_publisher_profile_image function. The plugin fails to implement proper checks such as:
- MIME type validation
- File extension whitelisting
- Content inspection of uploaded files
This allows attackers to upload files with executable extensions (e.g., .php) that the server will interpret and execute when accessed.
Attack Vector
The attack can be executed remotely over the network without any user interaction or authentication. An attacker would:
- Identify a WordPress site running the vulnerable WP Foodbakery plugin version 4.7 or earlier
- Craft a malicious request to the upload_publisher_profile_image endpoint
- Upload a PHP web shell or other malicious script disguised or simply passed as a profile image
- Access the uploaded file directly to execute arbitrary commands on the server
The vulnerability allows unauthenticated exploitation, making it particularly dangerous as it requires no legitimate access to the WordPress site to compromise it.
Detection Methods for CVE-2024-13011
Indicators of Compromise
- Unexpected PHP files or other executable scripts in the WordPress uploads directory
- Suspicious HTTP POST requests to endpoints associated with the upload_publisher_profile_image function
- Web server logs showing access to newly uploaded files in unusual locations
- Outbound connections from the web server to unknown IP addresses
Detection Strategies
- Monitor file system changes in WordPress uploads directories for executable file types
- Implement web application firewall (WAF) rules to detect and block file upload attacks
- Review HTTP access logs for POST requests containing suspicious file extensions
- Use integrity monitoring tools to detect unauthorized file additions to the web root
Monitoring Recommendations
- Enable file integrity monitoring on the WordPress installation directory
- Configure alerts for any new PHP files created in uploads or content directories
- Monitor outbound network connections from the web server for anomalous behavior
- Implement logging and alerting on the upload_publisher_profile_image function endpoint
How to Mitigate CVE-2024-13011
Immediate Actions Required
- Update the WP Foodbakery plugin to a version newer than 4.7 that addresses this vulnerability
- If an update is not available, consider temporarily disabling the plugin until a patch is released
- Review the uploads directory for any suspicious files that may have been uploaded
- Implement web application firewall rules to restrict file upload types
Patch Information
Users should update the WP Foodbakery plugin to the latest available version. The plugin is available through ThemeForest. For detailed vulnerability information, refer to the Wordfence Vulnerability Report.
Workarounds
- Restrict access to the file upload functionality at the web server level using authentication or IP whitelisting
- Implement server-side file type validation using .htaccess or equivalent configuration to prevent PHP execution in upload directories
- Use a WAF to filter requests containing potentially malicious file uploads
- Consider disabling the publisher profile image upload feature if not essential to site functionality
# Example .htaccess configuration to prevent PHP execution in uploads directory
# Place in wp-content/uploads/.htaccess
<FilesMatch "\.(?i:php|php3|php4|php5|phtml)$">
Order Deny,Allow
Deny from all
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
