The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Metrics
Affected Vendors & Products
References
History
Mon, 09 Dec 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Wphealth
Wphealth wp Umbrella Update Backup Restore And Monitoring |
|
CPEs | cpe:2.3:a:wphealth:wp_umbrella_update_backup_restore_and_monitoring:*:*:*:*:*:*:*:* | |
Vendors & Products |
Wphealth
Wphealth wp Umbrella Update Backup Restore And Monitoring |
|
Metrics |
ssvc
|
Sun, 08 Dec 2024 05:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |
Title | WP Umbrella: Update Backup Restore & Monitoring <= 2.17.0 - Unauthenticated Local File Inclusion | |
Weaknesses | CWE-98 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-12-08T05:25:16.114Z
Updated: 2024-12-09T15:54:53.710Z
Reserved: 2024-12-04T17:49:33.048Z
Link: CVE-2024-12209
Vulnrichment
Updated: 2024-12-09T15:54:47.684Z
NVD
Status : Received
Published: 2024-12-08T06:15:04.823
Modified: 2024-12-08T06:15:04.823
Link: CVE-2024-12209
Redhat
No data.