CVE-2024-49329: WP REST API FNS RCE Vulnerability

CVE-2024-49329 Overview

CVE-2024-49329 is a critical unrestricted file upload vulnerability in the WP REST API FNS WordPress plugin developed by vivek2tamrakar. This vulnerability allows unauthenticated attackers to upload arbitrary files with dangerous types, including web shells, directly to a vulnerable WordPress server. The flaw exists in versions up to and including 1.0.0 of the rest-api-fns plugin.

Critical Impact
Attackers can achieve full remote code execution on affected WordPress installations by uploading malicious PHP web shells without authentication, leading to complete server compromise.

Affected Products

WP REST API FNS plugin versions from n/a through <= 1.0.0
WordPress installations running the vulnerable rest-api-fns plugin
vivektamrakar wp_rest_api_fns (all versions up to 1.0.0)

Discovery Timeline

2024-10-20 - CVE-2024-49329 published to NVD
2026-04-01 - Last updated in NVD database

Technical Details for CVE-2024-49329

Vulnerability Analysis

This vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type. The WP REST API FNS plugin fails to implement proper validation and sanitization of uploaded files through its REST API endpoints. Without adequate checks on file extensions, MIME types, or content inspection, the plugin allows attackers to upload executable PHP files directly to the web server.

The network-accessible attack vector requires no privileges or user interaction, making it trivially exploitable by remote attackers. Once a malicious PHP web shell is uploaded to the WordPress installation, attackers gain arbitrary code execution capabilities within the context of the web server process.

Root Cause

The root cause of CVE-2024-49329 lies in the plugin's failure to implement security controls for file upload operations. The rest-api-fns plugin does not:

Validate file extensions against an allowlist of safe file types
Verify MIME types to ensure uploaded content matches expected formats
Sanitize file names to prevent directory traversal attacks
Implement authentication requirements for upload endpoints
Perform content-based file type detection

This combination of missing security controls allows any remote attacker to upload arbitrary files, including PHP web shells, that can be executed by accessing them directly on the server.

Attack Vector

The attack is conducted over the network through the WordPress REST API endpoints exposed by the vulnerable plugin. An attacker can exploit this vulnerability through the following attack pattern:

Identify a WordPress installation running the WP REST API FNS plugin version 1.0.0 or earlier
Craft an HTTP request to the plugin's file upload endpoint
Upload a malicious PHP file (web shell) without any authentication
Access the uploaded web shell directly via its URL path
Execute arbitrary commands on the server with web server privileges

The attack requires no authentication, no user interaction, and can be performed by any remote attacker with network access to the WordPress installation. For additional technical details, refer to the Patchstack WordPress Vulnerability Advisory.

Detection Methods for CVE-2024-49329

Indicators of Compromise

Unexpected PHP files appearing in WordPress upload directories or plugin folders
Web shell files with suspicious names or obfuscated content in wp-content/uploads/ or plugin directories
HTTP requests to unusual file paths within the WordPress installation containing PHP extensions
Outbound connections from the web server to unknown command and control infrastructure

Detection Strategies

Monitor WordPress REST API endpoints for file upload requests, particularly to endpoints associated with the rest-api-fns plugin
Implement file integrity monitoring to detect unauthorized file additions in WordPress directories
Analyze web server access logs for requests to newly created PHP files outside of standard WordPress core or theme files
Deploy web application firewall (WAF) rules to block file upload requests containing PHP or executable extensions

Monitoring Recommendations

Enable verbose logging for WordPress REST API activity and review logs for anomalous upload attempts
Implement real-time file system monitoring for the WordPress installation directory
Configure alerts for any new PHP file creation in upload directories or plugin folders
Monitor for outbound network connections from the web server that may indicate post-exploitation activity

How to Mitigate CVE-2024-49329

Immediate Actions Required

Immediately deactivate and remove the WP REST API FNS (rest-api-fns) plugin from all WordPress installations
Scan the WordPress installation for any unauthorized or suspicious PHP files that may have been uploaded
Review web server access logs for evidence of exploitation attempts or successful compromise
If compromise is suspected, isolate the server and perform a full incident response investigation

Patch Information

As of the available CVE data, no official patch has been released for the WP REST API FNS plugin. The vulnerability affects all versions up to and including 1.0.0. Organizations should remove the plugin entirely until a security update is made available by the developer. Monitor the Patchstack WordPress Vulnerability Advisory for updates on patch availability.

Workarounds

Remove the WP REST API FNS plugin completely from WordPress installations as the primary workaround
If removal is not immediately possible, implement web application firewall rules to block access to the plugin's REST API endpoints
Restrict file upload capabilities at the web server level by configuring PHP to disable file uploads or limit upload directories
Implement strict file permission controls to prevent execution of files in upload directories

bash

# Configuration example - Disable PHP execution in uploads directory
# Add to .htaccess in wp-content/uploads/
<FilesMatch "\.php$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Alternative: Using Apache configuration
<Directory "/var/www/html/wp-content/uploads">
    php_admin_flag engine off
</Directory>

CVE-2024-49329 Overview

Critical Impact
Attackers can achieve full remote code execution on affected WordPress installations by uploading malicious PHP web shells without authentication, leading to complete server compromise.

Affected Products

WP REST API FNS plugin versions from n/a through <= 1.0.0
WordPress installations running the vulnerable rest-api-fns plugin
vivektamrakar wp_rest_api_fns (all versions up to 1.0.0)

Discovery Timeline

2024-10-20 - CVE-2024-49329 published to NVD
2026-04-01 - Last updated in NVD database

Technical Details for CVE-2024-49329

Vulnerability Analysis

Root Cause

The root cause of CVE-2024-49329 lies in the plugin's failure to implement security controls for file upload operations. The rest-api-fns plugin does not:

Validate file extensions against an allowlist of safe file types
Verify MIME types to ensure uploaded content matches expected formats
Sanitize file names to prevent directory traversal attacks
Implement authentication requirements for upload endpoints
Perform content-based file type detection

This combination of missing security controls allows any remote attacker to upload arbitrary files, including PHP web shells, that can be executed by accessing them directly on the server.

Attack Vector

The attack is conducted over the network through the WordPress REST API endpoints exposed by the vulnerable plugin. An attacker can exploit this vulnerability through the following attack pattern:

Identify a WordPress installation running the WP REST API FNS plugin version 1.0.0 or earlier
Craft an HTTP request to the plugin's file upload endpoint
Upload a malicious PHP file (web shell) without any authentication
Access the uploaded web shell directly via its URL path
Execute arbitrary commands on the server with web server privileges

Detection Methods for CVE-2024-49329

Indicators of Compromise

Unexpected PHP files appearing in WordPress upload directories or plugin folders
Web shell files with suspicious names or obfuscated content in wp-content/uploads/ or plugin directories
HTTP requests to unusual file paths within the WordPress installation containing PHP extensions
Outbound connections from the web server to unknown command and control infrastructure

Detection Strategies

Monitor WordPress REST API endpoints for file upload requests, particularly to endpoints associated with the rest-api-fns plugin
Implement file integrity monitoring to detect unauthorized file additions in WordPress directories
Analyze web server access logs for requests to newly created PHP files outside of standard WordPress core or theme files
Deploy web application firewall (WAF) rules to block file upload requests containing PHP or executable extensions

Monitoring Recommendations

Enable verbose logging for WordPress REST API activity and review logs for anomalous upload attempts
Implement real-time file system monitoring for the WordPress installation directory
Configure alerts for any new PHP file creation in upload directories or plugin folders
Monitor for outbound network connections from the web server that may indicate post-exploitation activity

How to Mitigate CVE-2024-49329

Immediate Actions Required

Immediately deactivate and remove the WP REST API FNS (rest-api-fns) plugin from all WordPress installations
Scan the WordPress installation for any unauthorized or suspicious PHP files that may have been uploaded
Review web server access logs for evidence of exploitation attempts or successful compromise
If compromise is suspected, isolate the server and perform a full incident response investigation

Patch Information

Workarounds

Remove the WP REST API FNS plugin completely from WordPress installations as the primary workaround
If removal is not immediately possible, implement web application firewall rules to block access to the plugin's REST API endpoints
Restrict file upload capabilities at the web server level by configuring PHP to disable file uploads or limit upload directories
Implement strict file permission controls to prevent execution of files in upload directories

bash

# Configuration example - Disable PHP execution in uploads directory
# Add to .htaccess in wp-content/uploads/
<FilesMatch "\.php$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Alternative: Using Apache configuration
<Directory "/var/www/html/wp-content/uploads">
    php_admin_flag engine off
</Directory>

CVE-2024-49329: WP REST API FNS RCE Vulnerability

CVE-2024-49329 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-49329

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-49329

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-49329

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2024-49329: WP REST API FNS RCE Vulnerability

CVE-2024-49329 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-49329

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-49329

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-49329

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform