WordPress RCE Vulnerability CVE-2024-31210 Puts Websites at Risk
Last updated on: May 6, 2025
Table of Contents
- WordPress Vulnerability Details and Security Risks
- WordPress Versions Affected by the Vulnerability
- Impact of the WordPress Vulnerability on Websites
- Detecting the Vulnerability with Qualys WAS
- Vulnerability Scan Reports
- Steps to Mitigate the WordPress Vulnerability
- Fix for the WordPress Vulnerability and Security Patch
- Workaround
- References
- Contributors
WordPress is a widely used open publishing platform for the web. A security vulnerability was discovered that allows administrator-level users on single-site installations and Super Admin-level users on Multisite installations to execute arbitrary PHP code. This vulnerability affects WordPress versions prior to 6.4.3 and was addressed in a security patch released on January 30, 2024.
Qualys Web Application Scanning released a QID 154154 to address CVE-2024-31210.
WordPress Vulnerability Details and Security Risks
Administrative users on single-site installations and Super Admin-level users on Multisite installations could exploit a flaw in the plugin upload mechanism. When attempting to upload a file of a type other than a zip file as a new plugin via the `Plugins -> Add New -> Upload Plugin` screen, if FTP credentials were requested for installation, the uploaded file remained temporarily available in the Media Library despite not being allowed. This allowed for the potential execution of arbitrary PHP code.
WordPress Versions Affected by the Vulnerability
WordPress below 4.1.39
WordPress from 4.2 to 4.2.36
WordPress from 4.3 to 4.3.32
WordPress from 4.4 to 4.4.31
WordPress from 4.5 to 4.5.30
WordPress from 4.6 to 4.6.27
WordPress from 4.7 to 4.7.27
WordPress from 4.8 to 4.8.23
WordPress from 4.9 to 4.9.24
WordPress from 5.0 to 5.0.20
WordPress from 5.1 to 5.1.17
WordPress from 5.2 to 5.2.19
WordPress from 5.3 to 5.3.16
WordPress from 5.4 to 5.4.14
WordPress from 5.5 to 5.5.13
WordPress from 5.6 to 5.6.12
WordPress from 5.7 to 5.7.10
WordPress from 5.8 to 5.8.8
WordPress from 5.9 to 5.9.8
WordPress from 6.0 to 6.0.6
WordPress from 6.1 to 6.1.4
WordPress from 6.2 to 6.2.3
WordPress from 6.3 to 6.3.2
WordPress from 6.4 to 6.4.2
Impact of the WordPress Vulnerability on Websites
How This WordPress Vulnerability Can Be Exploited
- Administrator-level users on single-site installations and Super Admin-level users on Multisite installations could execute arbitrary PHP code.
Why This WordPress Vulnerability May Not Be Exploitable
- Lower-level users are not affected.
- Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected.
- Sites where administrative users do not need to enter FTP credentials or have access to valid FTP credentials are not affected.
Detecting the Vulnerability with Qualys WAS
Customers can detect this vulnerability with Qualys Web Application Scanning using the following QID:
QID 154154: WordPress Core: Remote Code Execution via Plugin Upload (CVE-2024-31210)
Vulnerability Scan Reports
On successful detection, users shall see a similar kind of result in the vulnerability scan report:
Steps to Mitigate the WordPress Vulnerability
- Apply Security Patch: Update WordPress to version 6.4.3 or later to address the vulnerability.
- Implement Workaround: Define the `DISALLOW_FILE_MODS` constant as `true` to prevent any user from uploading a plugin, thereby making the issue non-exploitable.
Fix for the WordPress Vulnerability and Security Patch
The issue was fixed in WordPress version 6.4.3, released on January 30, 2024. The fix was backported to various previous versions to ensure wider coverage.
Workaround
Define the DISALLOW_FILE_MODS constant as true to prevent any user from uploading a plugin, thus preventing the vulnerability from being exploited.
References
Contributors
- Sheela Sarva, Director, Web Application Security, Qualys