WP Umbrella, a plugin with over 30,000 active installations, is widely used for managing backups, updates, and monitoring across multiple WordPress sites. A critical security vulnerability (CVE-2024-12209) has been discovered in WP Umbrella.
| Product | wp-health |
| Date | 2024-12-10 17:22:21 |
| Information |
|
Technical Summary
CVE-2024-12209 is a Local File Inclusion (LFI) vulnerability present in WP Umbrella versions up to and including 2.17.0. The vulnerability resides in the filename parameter of the umbrella-restore action, allowing unauthenticated attackers to include and execute arbitrary files on the server.
By exploiting this vulnerability, attackers can:
- Execute malicious PHP code.
- Bypass access controls.
- Access sensitive information.
- Potentially gain full control of the affected websites.
Recommendations
Update the WP Umbrella plugin to the latest version that addresses this vulnerability (2.17.1 or higher).
[Callforaction-THREAT-Footer]
