CVE-2024-34555 Overview
CVE-2024-34555 is an unrestricted file upload vulnerability in the URBAN BASE Z-Downloads plugin for WordPress. The flaw affects all versions up to and including 1.11.3. Attackers can upload files of dangerous types without authentication, bypassing extension and content validation. Successful exploitation leads to arbitrary code execution on the underlying web server. The vulnerability is tracked as [CWE-434] (Unrestricted Upload of File with Dangerous Type) and carries a maximum CVSS score of 10.0.
Critical Impact
Unauthenticated attackers can upload web shells or executable scripts, leading to full remote code execution and complete compromise of the WordPress site.
Affected Products
- URBAN BASE Z-Downloads plugin for WordPress
- All versions from n/a through 1.11.3
- WordPress installations with the Z-Downloads plugin enabled
Discovery Timeline
- 2024-05-14 - CVE-2024-34555 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2024-34555
Vulnerability Analysis
The Z-Downloads plugin exposes a file upload endpoint that fails to validate the type, extension, or content of uploaded files. An attacker can submit a request containing a PHP file or other server-executable script. The plugin writes the file into a web-accessible directory without sanitization. Once uploaded, the attacker can request the file directly through the web server to execute arbitrary code.
The scope change reflected in the CVSS vector indicates that exploitation impacts resources beyond the vulnerable component. A compromised WordPress installation typically enables access to the database, file system, and any privileged services reachable from the host. The EPSS data places this vulnerability in the upper percentile for predicted exploitation activity.
Root Cause
The root cause is missing or improper validation of uploaded file types within the plugin's upload handler. The plugin trusts client-supplied metadata and does not enforce a server-side allowlist of permitted extensions or MIME types. It also stores uploaded files in a location where the web server interprets them as executable code.
Attack Vector
The vulnerability is exploitable remotely over the network without authentication or user interaction. An attacker sends a crafted HTTP POST request to the plugin's upload handler containing a malicious payload such as a PHP web shell. After upload, the attacker issues an HTTP GET request to the resulting file path to trigger execution. Technical details are documented in the Patchstack Vulnerability Report.
Detection Methods for CVE-2024-34555
Indicators of Compromise
- Unexpected .php, .phtml, or .phar files in the Z-Downloads upload directory or wp-content/uploads subdirectories
- HTTP POST requests to Z-Downloads upload endpoints from unauthenticated sources
- New administrative WordPress users or modifications to wp-config.php following suspicious upload activity
- Outbound connections from the web server to attacker-controlled infrastructure shortly after upload events
Detection Strategies
- Monitor web server access logs for POST requests to Z-Downloads plugin endpoints followed by GET requests to newly created files
- Inspect file integrity baselines for new executable files written under plugin upload directories
- Alert on PHP processes spawning shell utilities such as sh, bash, wget, or curl from the web server user context
Monitoring Recommendations
- Enable a web application firewall (WAF) rule set that blocks uploads with executable extensions to WordPress endpoints
- Forward WordPress and web server logs to a centralized SIEM for correlation against upload and execution patterns
- Track plugin inventory and version data across WordPress sites to identify exposed Z-Downloads installations
How to Mitigate CVE-2024-34555
Immediate Actions Required
- Disable or uninstall the Z-Downloads plugin until a patched version is verified and deployed
- Audit the plugin upload directory for unauthorized files and remove any suspicious uploads
- Rotate WordPress administrator credentials, API keys, and database passwords if compromise is suspected
- Review and revoke unexpected WordPress user accounts created after May 14, 2024
Patch Information
At the time of CVE publication, no fixed version is listed for the URBAN BASE Z-Downloads plugin beyond 1.11.3. Refer to the Patchstack Vulnerability Report for the latest remediation status and vendor updates.
Workarounds
- Remove the Z-Downloads plugin from all WordPress installations until a verified patch is available
- Block public access to the plugin's upload endpoint at the web server or WAF layer
- Configure the web server to deny PHP execution within wp-content/uploads and other writable directories
- Restrict file upload MIME types and extensions at the WAF using an allowlist of safe document formats
# Configuration example: deny PHP execution in WordPress uploads directory (Apache)
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.(php|phtml|phar|php5|php7)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
