CVE-2024-13011 is a critical security vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the WP Foodbakery plugin for WordPress, developed by Chimpstudio. The flaw exists in the 'upload_publisher_profile_image' function, which fails to properly validate the file types being uploaded. This lack of validation enables unauthenticated attackers to upload arbitrary files, including potentially malicious scripts, to the server hosting the WordPress site. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by attackers scanning for vulnerable sites. Successful exploitation could lead to remote code execution (RCE), allowing attackers to execute arbitrary commands on the server, compromise site data, deface websites, or pivot to other internal systems. The vulnerability affects all versions up to and including 4.7 of the plugin. The CVSS 3.1 base score of 9.8 reflects the critical nature of this vulnerability, with attack vector being network-based, no privileges required, and no user interaction needed. While no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers once weaponized. The absence of official patches at the time of disclosure increases the urgency for administrators to apply workarounds or restrict upload functionality until a fix is available.

The impact of CVE-2024-13011 is severe for organizations using the WP Foodbakery plugin. Exploitation can lead to full system compromise via remote code execution, resulting in unauthorized access to sensitive data, defacement of websites, disruption of services, and potential use of the compromised server as a foothold for further attacks within the network. Confidentiality, integrity, and availability of the affected systems are all at high risk. For e-commerce sites, this could mean theft of customer data or financial fraud. For content-driven sites, it could result in loss of reputation and user trust. The fact that no authentication or user interaction is required significantly lowers the barrier for attackers, increasing the likelihood of exploitation. Organizations without timely mitigation may face data breaches, regulatory penalties, and operational downtime.

Until an official patch is released, organizations should take immediate steps to mitigate the risk. These include disabling or restricting the file upload functionality in the WP Foodbakery plugin, especially the 'upload_publisher_profile_image' feature. Implement web application firewall (WAF) rules to block suspicious file uploads and monitor for unusual upload activity. Restrict file types accepted by the server at the web server or application level to only allow safe image formats (e.g., JPEG, PNG). Regularly audit and monitor server file systems for unauthorized files or scripts. Employ strict least privilege permissions on upload directories to prevent execution of uploaded files. Update the plugin to the latest version as soon as a patch becomes available. Additionally, maintain regular backups and have an incident response plan ready in case of compromise. Network segmentation and limiting administrative access can also reduce potential damage.