CVE-2024-11150 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, or Path Traversal) affecting the WordPress User Extra Fields plugin. The vulnerability arises from insufficient validation of file paths in the delete_tmp_uploaded_file() function, which is responsible for deleting temporary uploaded files. Because the plugin fails to properly restrict the file paths, an unauthenticated attacker can craft requests that specify arbitrary file paths outside the intended directory, leading to deletion of any file on the server accessible by the web server user. This includes critical WordPress files such as wp-config.php, which contains database credentials and other sensitive configuration data. Deleting such files can disrupt website functionality and enable attackers to upload malicious files or execute arbitrary code remotely. The vulnerability is remotely exploitable without any authentication or user interaction, making it highly dangerous. It affects all versions of the plugin up to and including version 16.6. The CVSS v3.1 base score is 9.8, indicating a critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers. The plugin is widely used in WordPress environments, which are common globally, increasing the potential attack surface.

The impact of CVE-2024-11150 is severe for organizations using the WordPress User Extra Fields plugin. Successful exploitation allows attackers to delete arbitrary files on the web server, which can lead to denial of service by removing critical files or enable remote code execution by deleting configuration files and replacing them with malicious content. This compromises the confidentiality, integrity, and availability of the affected systems. Websites may be defaced, data stolen, or entire web applications taken offline. Given WordPress's widespread adoption, this vulnerability could be leveraged in large-scale attacks against businesses, government agencies, and other organizations relying on WordPress for their web presence. The lack of authentication and user interaction requirements significantly increases the risk of automated exploitation and wormable attacks. The potential for remote code execution elevates the threat to full system compromise, data breaches, and persistent attacker footholds.

To mitigate CVE-2024-11150, organizations should immediately update the WordPress User Extra Fields plugin to a patched version once released by the vendor. Until a patch is available, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Implementing web application firewall (WAF) rules to detect and block suspicious requests attempting path traversal patterns targeting the delete_tmp_uploaded_file() function can provide temporary protection. Restrict file system permissions for the web server user to limit the ability to delete critical files outside designated directories. Monitoring web server logs for unusual DELETE requests or path traversal attempts can help detect exploitation attempts early. Additionally, regular backups of website files and configurations are essential to recover quickly from any successful attacks. Security teams should also conduct thorough audits of WordPress plugins and remove any unnecessary or unmaintained plugins to reduce risk.