CVE-2024-43160 Overview
CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plugin, affecting all versions through 1.7.6. The flaw, classified as Unrestricted Upload of File with Dangerous Type [CWE-434], permits remote attackers to upload executable files without authentication. Successful exploitation enables code injection on the target WordPress site, leading to full site compromise. The vulnerability is reachable over the network with no privileges or user interaction required, and the scope is changed because uploaded code executes in the underlying web server context.
Critical Impact
Unauthenticated remote attackers can upload arbitrary files and achieve code execution on affected WordPress installations running BerqWP through version 1.7.6.
Affected Products
- BerqWP WordPress plugin versions through 1.7.6
- WordPress sites with BerqWP (SearchPro) installed and active
- Hosting environments running the vulnerable plugin
Discovery Timeline
- 2024-08-13 - CVE-2024-43160 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-43160
Vulnerability Analysis
The BerqWP plugin exposes a file upload endpoint that fails to validate authentication, file type, and file extension before writing the supplied content to disk. Because the plugin accepts files with dangerous types, attackers can place PHP scripts inside the WordPress web root. Once written, requesting the uploaded file triggers execution under the web server user, yielding remote code execution.
The issue is reachable from the public internet against any WordPress site running BerqWP 1.7.6 or earlier. With an EPSS score of 83.7% and a percentile near the top of the distribution, exploitation activity is highly probable. Code execution on a WordPress host typically allows attackers to read wp-config.php, exfiltrate database credentials, pivot to administrator accounts, and persist via web shells.
Root Cause
The root cause is missing server-side validation on a file upload handler exposed by the plugin. The handler does not enforce capability checks, nonce validation, MIME type filtering, or extension allow-listing. This combination of missing controls maps directly to CWE-434, Unrestricted Upload of File with Dangerous Type.
Attack Vector
An unauthenticated attacker sends a crafted HTTP request to the vulnerable plugin endpoint with a PHP payload disguised as an asset. The server writes the file into a web-accessible directory. The attacker then requests the dropped script directly, executing arbitrary PHP code with the privileges of the web server.
See the Patchstack Vulnerability Report for additional technical context.
Detection Methods for CVE-2024-43160
Indicators of Compromise
- Unexpected .php, .phtml, or .phar files inside wp-content/uploads/ or BerqWP plugin directories
- POST requests to BerqWP upload endpoints from unauthenticated sources
- New scheduled tasks, modified wp-config.php, or unfamiliar administrator accounts created shortly after suspicious uploads
- Outbound connections from the web server to attacker-controlled infrastructure following file writes
Detection Strategies
- Inspect web server access logs for POST requests targeting BerqWP plugin paths with non-image content types or oversized payloads
- Audit the WordPress uploads directory for executable file extensions, which should never be present in standard installations
- Correlate file creation events in the web root with subsequent GET requests that invoke the same file
Monitoring Recommendations
- Enable file integrity monitoring on wp-content/plugins/ and wp-content/uploads/
- Forward web server, PHP-FPM, and WordPress audit logs to a centralized SIEM for correlation
- Alert on process executions spawned by the web server user, such as sh, bash, curl, or wget
How to Mitigate CVE-2024-43160
Immediate Actions Required
- Update BerqWP to a version later than 1.7.6 immediately, or deactivate and remove the plugin if no fixed version is deployable
- Review the WordPress uploads directory and plugin directories for unauthorized files and remove any web shells
- Rotate WordPress administrator passwords, secret keys in wp-config.php, and any database credentials exposed on the host
- Inspect the site for backdoor accounts, modified themes, and injected mu-plugins
Patch Information
The vendor advisory tracked by Patchstack identifies BerqWP 1.7.6 as the last vulnerable release. Administrators must upgrade to a patched release listed in the Patchstack Vulnerability Report. If no fixed version is available for the deployed build, uninstall the plugin until a patch is applied.
Workarounds
- Block requests to BerqWP upload endpoints at the web application firewall until the plugin is patched or removed
- Deny PHP execution within wp-content/uploads/ using web server configuration to neutralize dropped payloads
- Restrict write permissions on plugin and upload directories to the minimum required by WordPress
# Disable PHP execution in the WordPress uploads directory (Apache)
cat > /var/www/html/wp-content/uploads/.htaccess <<'EOF'
<FilesMatch "\.(php|phtml|phar|php[0-9]+)$">
Require all denied
</FilesMatch>
EOF
# Nginx equivalent inside the server block
# location ~* /wp-content/uploads/.*\.(php|phtml|phar)$ {
# deny all;
# return 403;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
