CVE-2024-13720: 
WordPress vulnerability analysis and mitigation

The WP Image Uploader plugin for WordPress contains a critical vulnerability (CVE-2024-13720) discovered in all versions up to and including 1.0.1. The vulnerability stems from insufficient file path validation in the gky_image_uploader_main_function() function, which allows unauthenticated attackers to delete arbitrary files on the server (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) by NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, while Wordfence assessed it with a score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability enables unauthenticated attackers to delete arbitrary files on the server. This capability is particularly dangerous as it can lead to remote code execution when critical files, such as wp-config.php, are targeted for deletion (NVD).

Users should immediately update their WP Image Uploader plugin to a version newer than 1.0.1 if available, or remove the plugin entirely if no patch is available. The vulnerability has been documented in the WordPress plugin repository (WordPress Plugin).