CVE-2024-31210 Overview
WordPress, the widely-used open publishing platform for the Web, contains an Unrestricted File Upload vulnerability (CWE-434) that can lead to Remote Code Execution (RCE) under specific conditions. The vulnerability exists in the plugin upload functionality accessible via the Plugins → Add New → Upload Plugin screen in WordPress's administrative interface.
When an administrative user uploads a file through this interface, WordPress allows files of types other than the expected ZIP format. If the installation requires FTP credentials to move the file into place outside of the uploads directory, the uploaded file remains temporarily available in the Media Library despite not being an allowed file type. This creates a window of opportunity for code execution when specific configuration conditions are met.
Critical Impact
This vulnerability enables Remote Code Execution for administrative users who should otherwise be restricted from executing arbitrary PHP code when the DISALLOW_FILE_EDIT constant is set to true and FTP credentials are required for plugin installation.
Affected Products
- WordPress versions prior to 6.4.3
- WordPress versions in the 6.3.x branch prior to 6.3.3
- WordPress versions in the 6.2.x branch prior to 6.2.4
- WordPress versions in the 6.1.x branch prior to 6.1.5
- WordPress versions in the 6.0.x branch prior to 6.0.7
- WordPress versions in the 5.x branch prior to their respective patched versions (5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21)
- WordPress versions in the 4.x branch prior to their respective patched versions (4.9.25, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, 4.1.40)
- WordPress version 2.8 prior to 2.8.24
Discovery Timeline
- January 30, 2024 - WordPress releases security patch in version 6.4.3
- April 4, 2024 - CVE-2024-31210 published to NVD
- January 7, 2026 - Last updated in NVD database
Technical Details for CVE-2024-31210
Vulnerability Analysis
This vulnerability represents an Unrestricted File Upload flaw that bypasses WordPress's intended security model. The core issue lies in how WordPress handles file uploads during the plugin installation process when FTP credentials are required. WordPress implements the DISALLOW_FILE_EDIT constant to prevent administrators from editing theme and plugin files directly through the admin interface, effectively limiting their ability to execute arbitrary PHP code. However, this security control can be circumvented through the vulnerable plugin upload mechanism.
The exploitation path requires a specific combination of site configurations: the DISALLOW_FILE_EDIT constant must be set to true, and the server configuration must require FTP credentials for plugin installation (typically when WordPress cannot write directly to the plugins directory). When these conditions are met, an uploaded file that is not a valid ZIP archive persists in the Media Library, creating an exploitable state.
Root Cause
The root cause of this vulnerability is improper file type validation in the plugin upload handling code. WordPress fails to properly clean up uploaded files when the installation process cannot complete due to missing FTP credentials. The file remains accessible in the Media Library despite not being a valid plugin archive. This behavior, combined with the security model that assumes DISALLOW_FILE_EDIT prevents code execution, creates a privilege escalation path where administrators can bypass intended restrictions.
Attack Vector
The attack leverages network-accessible administrative functionality requiring user interaction. An attacker with administrative access navigates to the plugin upload screen, uploads a malicious PHP file disguised or submitted in place of a plugin archive, and exploits the temporary file persistence when FTP credentials are requested but not provided.
The exploitation conditions include:
- Administrator or Super Admin level access to the WordPress installation
- The DISALLOW_FILE_EDIT constant set to true in the site configuration
- FTP credentials required for plugin installation (server configuration that prevents direct file writes)
- The DISALLOW_FILE_MODS constant NOT set to true
When all conditions are met, the attacker can access the uploaded PHP file through the Media Library URL, triggering arbitrary code execution with the privileges of the web server process.
Detection Methods for CVE-2024-31210
Indicators of Compromise
- Unexpected PHP files appearing in the WordPress Media Library or wp-content/uploads directory
- Administrative user activity showing repeated plugin upload attempts without successful installations
- HTTP requests to PHP files located within the uploads directory structure
- Web server logs showing POST requests to /wp-admin/update.php?action=upload-plugin followed by suspicious file access patterns
Detection Strategies
- Monitor WordPress admin activity logs for plugin upload attempts, particularly those that fail to complete installation
- Implement file integrity monitoring on the wp-content/uploads directory to detect unexpected PHP file creation
- Review web application firewall (WAF) logs for attempts to upload files with PHP extensions through the plugin upload endpoint
- Audit administrative user accounts for unauthorized access or suspicious activity patterns
Monitoring Recommendations
- Enable WordPress audit logging plugins to track administrative actions including plugin upload attempts
- Configure server-side monitoring to alert on PHP file creation within upload directories
- Implement regular security scans to identify unauthorized executable files in WordPress installations
- Monitor for outbound network connections from the web server that may indicate post-exploitation activity
How to Mitigate CVE-2024-31210
Immediate Actions Required
- Update WordPress to version 6.4.3 or later immediately
- If unable to update, set the DISALLOW_FILE_MODS constant to true in wp-config.php as a temporary workaround
- Review the Media Library for any unexpected file uploads, particularly PHP files
- Audit administrator and super administrator accounts for unauthorized access
- Review server access logs for any evidence of exploitation attempts
Patch Information
WordPress addressed this vulnerability in version 6.4.3 released on January 30, 2024. The fix has been backported to all supported branches including versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, 4.1.40, and 2.8.24. Administrators should update to the latest version in their branch or preferably to WordPress 6.4.3 or newer. For detailed technical information, refer to the WordPress GitHub Security Advisory.
Workarounds
- Set DISALLOW_FILE_MODS to true in wp-config.php to completely disable plugin and theme uploads, which prevents exploitation of this vulnerability
- If FTP credential requirements cannot be removed, ensure DISALLOW_FILE_MODS is enabled until the site can be updated
- Implement network-level access controls to restrict access to the WordPress admin interface to trusted IP addresses
- Consider using a Web Application Firewall (WAF) rule to block file uploads with non-ZIP extensions to the plugin upload endpoint
# WordPress configuration workaround - add to wp-config.php
define('DISALLOW_FILE_MODS', true);
# This constant prevents all plugin and theme installations/updates
# and completely mitigates this vulnerability
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
