WpHealth WP Umbrella - LFI (CVE-2024-12209)
0Exploiting IPs reported
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
CrowdSec analysis
CVE-2024-12209 is a Local File Inclusion (LFI) vulnerability in the WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress. The vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server via the 'filename' parameter of the 'umbrella-restore' action, potentially leading to code execution and sensitive data exposure.
CrowdSec has been tracking this vulnerability and its exploits since 30th of June 2025.
CrowdSec network data shows that most actors exploiting CVE-2024-12209 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2024-12209 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2024-12209 is currently experiencing high visibility and active exploitation across the internet.
Exploitation of CVE-2024-12209 involves sending a crafted request to the vulnerable plugin's 'umbrella-restore' action with a malicious 'filename' parameter.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.