CVE-2024-13767
First published: Fri Jan 31 2025(Updated: )
The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles() function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Live2D | <=1.9.11 | |
| WordPress |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-13767?
CVE-2024-13767 has a severity rating that indicates a risk of arbitrary file deletion for authenticated attackers.
How do I fix CVE-2024-13767?
To fix CVE-2024-13767, update the Live2DWebCanvas plugin to version 1.9.12 or later.
Who is affected by CVE-2024-13767?
CVE-2024-13767 affects authenticated users with Subscriber-level access and above on websites using the Live2DWebCanvas plugin.
What versions of Live2DWebCanvas are vulnerable in CVE-2024-13767?
All versions up to and including 1.9.11 of the Live2DWebCanvas plugin are vulnerable to CVE-2024-13767.
Can unauthenticated users exploit CVE-2024-13767?
No, CVE-2024-13767 requires authenticated user access to exploit the arbitrary file deletion vulnerability.
- collector/nvd-api
- source/NVD
- agent/type
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/source
- agent/references
- agent/author
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/live2d
- canonical/live2d
- vendor/wordpress
- canonical/wordpress