WordPress RCE Vulnerability CVE-2024-31210 Puts Websites at Risk

Hitesh Kadu

Last updated on: May 6, 2025

WordPress is a widely used open publishing platform for the web. A security vulnerability was discovered that allows administrator-level users on single-site installations and Super Admin-level users on Multisite installations to execute arbitrary PHP code. This vulnerability affects WordPress versions prior to 6.4.3 and was addressed in a security patch released on January 30, 2024.

Qualys Web Application Scanning released a QID 154154 to address CVE-2024-31210.

WordPress Vulnerability Details and Security Risks

Administrative users on single-site installations and Super Admin-level users on Multisite installations could exploit a flaw in the plugin upload mechanism. When attempting to upload a file of a type other than a zip file as a new plugin via the `Plugins -> Add New -> Upload Plugin` screen, if FTP credentials were requested for installation, the uploaded file remained temporarily available in the Media Library despite not being allowed. This allowed for the potential execution of arbitrary PHP code.

WordPress Versions Affected by the Vulnerability

WordPress below 4.1.39  
WordPress from 4.2 to 4.2.36  
WordPress from 4.3 to 4.3.32  
WordPress from 4.4 to 4.4.31  
WordPress from 4.5 to 4.5.30  
WordPress from 4.6 to 4.6.27  
WordPress from 4.7 to 4.7.27  
WordPress from 4.8 to 4.8.23  
WordPress from 4.9 to 4.9.24  
WordPress from 5.0 to 5.0.20  
WordPress from 5.1 to 5.1.17  
WordPress from 5.2 to 5.2.19  
WordPress from 5.3 to 5.3.16  
WordPress from 5.4 to 5.4.14  
WordPress from 5.5 to 5.5.13  
WordPress from 5.6 to 5.6.12  
WordPress from 5.7 to 5.7.10  
WordPress from 5.8 to 5.8.8  
WordPress from 5.9 to 5.9.8  
WordPress from 6.0 to 6.0.6  
WordPress from 6.1 to 6.1.4  
WordPress from 6.2 to 6.2.3  
WordPress from 6.3 to 6.3.2  
WordPress from 6.4 to 6.4.2

Impact of the WordPress Vulnerability on Websites

How This WordPress Vulnerability Can Be Exploited

  • Administrator-level users on single-site installations and Super Admin-level users on Multisite installations could execute arbitrary PHP code.

Why This WordPress Vulnerability May Not Be Exploitable

  • Lower-level users are not affected.
  • Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected.
  • Sites where administrative users do not need to enter FTP credentials or have access to valid FTP credentials are not affected.

Detecting the Vulnerability with Qualys WAS

Customers can detect this vulnerability with Qualys Web Application Scanning using the following QID:

QID 154154: WordPress Core: Remote Code Execution via Plugin Upload (CVE-2024-31210)

Vulnerability Scan Reports

On successful detection, users shall see a similar kind of result in the vulnerability scan report:

Steps to Mitigate the WordPress Vulnerability

  1. Apply Security Patch: Update WordPress to version 6.4.3 or later to address the vulnerability.
  2. Implement Workaround: Define the `DISALLOW_FILE_MODS` constant as `true` to prevent any user from uploading a plugin, thereby making the issue non-exploitable.

Fix for the WordPress Vulnerability and Security Patch

The issue was fixed in WordPress version 6.4.3, released on January 30, 2024. The fix was backported to various previous versions to ensure wider coverage.

Workaround

Define the DISALLOW_FILE_MODS constant as true to prevent any user from uploading a plugin, thus preventing the vulnerability from being exploited.

References

Contributors

  • Sheela Sarva, Director, Web Application Security, Qualys
Share your Comments

Comments

Your email address will not be published. Required fields are marked *