WordPress Remote Code Execution via Plugin Upload (CVE-2024-31210)

Hitesh Kadu
Hitesh Kadu, Senior, Web Application Security Signatures Engineer
- 3 min read

Table of Contents

WordPress is a widely used open publishing platform for the web. A security vulnerability was discovered that allows administrator-level users on single-site installations and Super Admin-level users on Multisite installations to execute arbitrary PHP code. This vulnerability affects WordPress versions prior to 6.4.3 and was addressed in a security patch released on January 30, 2024. 

Qualys Web Application Scanning released a QID 154154 to address CVE-2024-31210.

Vulnerability Details

Administrative users on single-site installations and Super Admin-level users on Multisite installations could exploit a flaw in the plugin upload mechanism. When attempting to upload a file of a type other than a zip file as a new plugin via the `Plugins -> Add New -> Upload Plugin` screen, if FTP credentials were requested for installation, the uploaded file remained temporarily available in the Media Library despite not being allowed. This allowed for the potential execution of arbitrary PHP code.

Affected Versions

WordPress below 4.1.39  
WordPress from 4.2 to 4.2.36  
WordPress from 4.3 to 4.3.32  
WordPress from 4.4 to 4.4.31  
WordPress from 4.5 to 4.5.30  
WordPress from 4.6 to 4.6.27  
WordPress from 4.7 to 4.7.27  
WordPress from 4.8 to 4.8.23  
WordPress from 4.9 to 4.9.24  
WordPress from 5.0 to 5.0.20  
WordPress from 5.1 to 5.1.17  
WordPress from 5.2 to 5.2.19  
WordPress from 5.3 to 5.3.16  
WordPress from 5.4 to 5.4.14  
WordPress from 5.5 to 5.5.13  
WordPress from 5.6 to 5.6.12  
WordPress from 5.7 to 5.7.10  
WordPress from 5.8 to 5.8.8  
WordPress from 5.9 to 5.9.8  
WordPress from 6.0 to 6.0.6  
WordPress from 6.1 to 6.1.4  
WordPress from 6.2 to 6.2.3  
WordPress from 6.3 to 6.3.2  
WordPress from 6.4 to 6.4.2

Impact

Exploitable:

  • Administrator-level users on single-site installations and Super Admin-level users on Multisite installations could execute arbitrary PHP code.

Not Exploitable:

  • Lower-level users are not affected.
  • Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected.
  • Sites where administrative users do not need to enter FTP credentials or have access to valid FTP credentials are not affected.

Detecting the Vulnerability with Qualys WAS

Customers can detect this vulnerability with Qualys Web Application Scanning using the following QID:

QID 154154: WordPress Core: Remote Code Execution via Plugin Upload (CVE-2024-31210)

Report

On successful detection, users shall see a similar kind of result in the vulnerability scan report:

Mitigation Steps

  1. Apply Security Patch: Update WordPress to version 6.4.3 or later to address the vulnerability.
  2. Implement Workaround: Define the `DISALLOW_FILE_MODS` constant as `true` to prevent any user from uploading a plugin, thereby making the issue non-exploitable.

Fix

The issue was fixed in WordPress version 6.4.3, released on January 30, 2024. The fix was backported to various previous versions to ensure wider coverage.

Workaround

Define the DISALLOW_FILE_MODS constant as true to prevent any user from uploading a plugin, thus preventing the vulnerability from being exploited.

References

Contributors

  • Sheela Sarva, Director, Web Application Security, Qualys
Share your Comments

Comments

Your email address will not be published. Required fields are marked *