Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-9047

CVE-2024-9047: WordPress File Upload Path Traversal Flaw

CVE-2024-9047 is a path traversal vulnerability in Iptanus WordPress File Upload plugin affecting versions up to 4.24.11. Unauthenticated attackers can read or delete files on PHP 7.4 or earlier installations. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2024-9047 Overview

CVE-2024-9047 is a critical Path Traversal vulnerability affecting the WordPress File Upload plugin for WordPress. The vulnerability exists in wfu_file_downloader.php in all versions up to and including 4.24.11, allowing unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be running PHP 7.4 or earlier.

Critical Impact

Unauthenticated remote attackers can read sensitive configuration files (including wp-config.php) or delete critical system files, potentially leading to complete site compromise, data theft, or denial of service.

Affected Products

  • WordPress File Upload plugin versions up to and including 4.24.11
  • WordPress installations running PHP 7.4 or earlier
  • Iptanus WordPress File Upload (cpe:2.3:a:iptanus:wordpress_file_upload:*:*:*:*:*:wordpress:*:*)

Discovery Timeline

  • 2024-10-12 - CVE-2024-9047 published to NVD
  • 2025-03-12 - Last updated in NVD database

Technical Details for CVE-2024-9047

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The flaw resides in the wfu_file_downloader.php file within the WordPress File Upload plugin, where user-supplied input is not properly sanitized before being used in file system operations.

The vulnerability enables unauthenticated attackers to traverse outside the intended upload directory and access arbitrary files on the server. This can result in unauthorized access to sensitive files such as wp-config.php (containing database credentials), system configuration files, or user data. Additionally, attackers may be able to delete critical files, potentially causing site disruption or facilitating further attacks.

A critical limiting factor is that successful exploitation requires the WordPress installation to be running PHP 7.4 or earlier, as newer PHP versions may include protections that mitigate this specific attack vector.

Root Cause

The root cause of CVE-2024-9047 lies in insufficient input validation within the wfu_file_downloader.php component. The plugin fails to properly sanitize file path parameters, allowing attackers to inject path traversal sequences (such as ../) that escape the intended directory structure. When PHP 7.4 or earlier is in use, these traversal sequences are processed without adequate restrictions, enabling access to files outside the designated upload directories.

Attack Vector

The attack vector for this vulnerability is network-based, requiring no authentication or user interaction. An attacker can craft malicious HTTP requests to the vulnerable wfu_file_downloader.php endpoint, including path traversal sequences in the file path parameter. These sequences allow the attacker to navigate the file system hierarchy and target files outside the plugin's intended scope.

The exploitation path typically involves:

  1. Identifying a WordPress site using the vulnerable WordPress File Upload plugin version
  2. Confirming the target is running PHP 7.4 or earlier
  3. Sending crafted requests to wfu_file_downloader.php with path traversal sequences
  4. Reading sensitive files (e.g., wp-config.php, /etc/passwd) or deleting critical files to disrupt operations

For detailed technical analysis, refer to the Wordfence Vulnerability Report.

Detection Methods for CVE-2024-9047

Indicators of Compromise

  • HTTP requests to wfu_file_downloader.php containing path traversal sequences such as ../, ..%2f, or ..%5c
  • Unusual access to wfu_file_downloader.php from external IP addresses
  • Web server logs showing requests attempting to access files outside the wp-content/uploads directory
  • Unexpected file deletions or modifications on the server
  • Access attempts to sensitive files like wp-config.php through the plugin endpoint

Detection Strategies

  • Monitor web server access logs for requests containing path traversal patterns targeting wfu_file_downloader.php
  • Deploy Web Application Firewall (WAF) rules to detect and block path traversal attempts in HTTP requests
  • Implement file integrity monitoring to detect unauthorized file reads or deletions
  • Use intrusion detection systems configured with signatures for directory traversal attacks against WordPress plugins

Monitoring Recommendations

  • Enable detailed logging for the WordPress File Upload plugin and web server access logs
  • Set up alerts for any requests to wfu_file_downloader.php containing encoded or plaintext traversal sequences
  • Monitor for anomalous file system activity, particularly reads of configuration files or deletions of critical WordPress files
  • Regularly audit installed plugin versions against known vulnerability databases

How to Mitigate CVE-2024-9047

Immediate Actions Required

  • Update the WordPress File Upload plugin to a version newer than 4.24.11 immediately
  • If immediate patching is not possible, consider temporarily deactivating the plugin until it can be updated
  • Upgrade PHP to version 7.5 or later to reduce exploitability of this specific vulnerability
  • Implement WAF rules to block path traversal attempts
  • Review server logs for any indicators of attempted or successful exploitation

Patch Information

The vendor has released a security patch addressing this vulnerability. The fix is available in the WordPress Plugin Change Log. Website administrators should update to the latest version of the WordPress File Upload plugin through the WordPress admin dashboard or by manually downloading the patched version from the official WordPress plugin repository.

Workarounds

  • Temporarily disable or uninstall the WordPress File Upload plugin until it can be patched
  • Implement server-level access controls to restrict access to wfu_file_downloader.php
  • Deploy WAF rules specifically designed to detect and block path traversal sequences in request parameters
  • Upgrade PHP to version 8.0 or later, which may provide additional protections against this attack vector
  • Restrict file system permissions to limit the impact of potential traversal attacks
bash
# Example: Block access to vulnerable file using Apache .htaccess
<Files "wfu_file_downloader.php">
    Order Allow,Deny
    Deny from all
</Files>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne