CVE-2024-31247 Overview
CVE-2024-31247 is a sensitive information disclosure vulnerability affecting the FG Drupal to WordPress plugin developed by Frédéric GILLES. The flaw is categorized under [CWE-532] (Insertion of Sensitive Information into Log File) and impacts all plugin versions up to and including 3.70.3. The plugin writes sensitive data into log files that are accessible to unauthorized network-based actors. Attackers can retrieve these logs without authentication or user interaction, exposing migration data that may include credentials, database connection details, or user information from the source Drupal site. The vulnerability carries a high severity rating with confidentiality fully impacted but no effect on integrity or availability.
Critical Impact
Unauthenticated remote attackers can retrieve sensitive migration data from log files generated by the FG Drupal to WordPress plugin, leading to disclosure of credentials and database information.
Affected Products
- FG Drupal to WordPress plugin versions through 3.70.3
- WordPress installations using the fg-drupal-to-wp plugin for site migration
- Sites that performed Drupal-to-WordPress migrations and retained generated log artifacts
Discovery Timeline
- 2024-04-10 - CVE-2024-31247 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2024-31247
Vulnerability Analysis
The FG Drupal to WordPress plugin assists administrators in migrating content from Drupal sites into WordPress. During the migration process, the plugin generates log files that record operational details about the import. These logs are written to a location reachable over the network without authentication controls enforced on the file path.
The vulnerability falls within the information disclosure category. An attacker who knows or guesses the log file location can issue an HTTP request and retrieve its contents. The attack requires no privileges, no user interaction, and can be conducted entirely over the network.
The Exploit Prediction Scoring System rates this issue in the 72nd percentile, indicating elevated likelihood of exploitation attempts relative to the broader CVE population.
Root Cause
The root cause is improper handling of sensitive data during logging operations [CWE-532]. The plugin records migration details including potentially sensitive parameters in log files without restricting access or sanitizing the data written. The web server serves these files as static content, bypassing any application-layer authorization.
Attack Vector
A remote attacker identifies a WordPress site running the vulnerable plugin and issues HTTP requests to predictable log file paths within the plugin directory or upload structure. Successful retrieval returns log content containing migration metadata. The attacker parses the response for credentials, database hostnames, user records, or configuration values that enable further compromise.
No verified proof-of-concept code has been published. The vulnerability mechanism is documented in the Patchstack Vulnerability Database Entry.
Detection Methods for CVE-2024-31247
Indicators of Compromise
- HTTP GET requests targeting log file paths within the fg-drupal-to-wp plugin directory or WordPress wp-content/uploads/ subdirectories
- Repeated 200 OK responses to requests for files with .log, .txt, or similar extensions originating from unauthenticated sources
- Web server access logs showing enumeration patterns against migration-related file names
Detection Strategies
- Inventory WordPress installations and identify any running the fg-drupal-to-wp plugin at or below version 3.70.3
- Scan the web root for log files containing migration data and verify whether they are accessible via direct URL requests
- Review web access logs for external requests to plugin log artifacts following migration activity
Monitoring Recommendations
- Alert on unauthenticated HTTP requests that successfully retrieve files from plugin directories
- Monitor outbound DNS or HTTP requests from hosts whose credentials may have been exposed in retrieved logs
- Track plugin version inventory across WordPress estates and flag installations that remain on vulnerable releases
How to Mitigate CVE-2024-31247
Immediate Actions Required
- Update the FG Drupal to WordPress plugin to a version later than 3.70.3 as published by the vendor
- Delete or move existing migration log files from web-accessible locations
- Rotate any credentials, API keys, or database passwords that may have been recorded in the exposed logs
- Review WordPress and Drupal user accounts for unauthorized access following migration activity
Patch Information
The vendor has addressed the issue in releases following 3.70.3. Administrators should consult the Patchstack Vulnerability Database Entry for the fixed version reference and apply the update through the WordPress plugin manager.
Workarounds
- Restrict access to the plugin directory and uploads paths using web server rules that deny direct requests for .log files
- Remove the plugin entirely after migration completes, as it is not required for ongoing WordPress operation
- Place a Deny from all rule in an .htaccess file within directories containing migration artifacts on Apache servers
- Configure equivalent location blocks on Nginx to return 403 responses for log file extensions
# Apache .htaccess example to block log file access
<FilesMatch "\.(log|txt)$">
Require all denied
</FilesMatch>
# Nginx equivalent
location ~* \.(log|txt)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
