CVE-2024-31345 Overview
CVE-2024-31345 is an unrestricted file upload vulnerability in the Sukhchain Singh Auto Poster plugin for WordPress. The flaw affects all versions of Auto Poster up to and including 1.2. Attackers with high-privilege access can upload files of dangerous types, leading to arbitrary file upload on the WordPress server. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). Public reporting through Patchstack Vulnerability Advisory confirms the issue exists in the plugin's file handling logic.
Critical Impact
Successful exploitation allows an authenticated attacker to upload arbitrary files, including PHP web shells, leading to remote code execution on the underlying WordPress host.
Affected Products
- Sukhchain Singh Auto Poster plugin for WordPress
- All versions from initial release through 1.2
- WordPress sites with the vulnerable plugin installed and activated
Discovery Timeline
- 2024-04-07 - CVE-2024-31345 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2024-31345
Vulnerability Analysis
The Auto Poster plugin exposes a file upload handler that fails to validate the type, extension, or content of uploaded files. An authenticated attacker with sufficient privileges can submit a request containing an executable file such as a PHP script. The server stores the file within a web-accessible directory of the WordPress installation. Requesting the uploaded file then triggers execution under the web server context. The impact extends to confidentiality, integrity, and availability of the WordPress instance and any data it processes. Because the scope is marked as changed, the compromise can extend beyond the plugin itself to the broader hosting environment.
Root Cause
The root cause is missing validation in the plugin's file upload routine. The handler accepts file uploads without enforcing an allowlist of safe MIME types or extensions and does not sanitize file names. As described in the Patchstack Vulnerability Advisory, this aligns with the [CWE-434] pattern where dangerous file types reach a location where they can be interpreted by the server.
Attack Vector
The attack is delivered over the network against the WordPress administrative or plugin endpoint. The attacker authenticates with a high-privilege account, then issues a multipart POST request to the vulnerable upload handler. The payload is a server-side script, typically .php, disguised or submitted directly because no extension filtering exists. After the upload completes, the attacker requests the file URL to execute the embedded code. No user interaction is required.
// No verified proof-of-concept code is published. See the Patchstack advisory for technical details.
Detection Methods for CVE-2024-31345
Indicators of Compromise
- Unexpected PHP, .phtml, or .phar files in the wp-content/uploads/ directory tree, especially under paths associated with the Auto Poster plugin
- Outbound connections from the WordPress host to attacker-controlled infrastructure shortly after file uploads
- New or modified WordPress administrator accounts following plugin activity
- Web server access logs showing POST requests to Auto Poster upload endpoints followed by GET requests to newly created files
Detection Strategies
- Monitor file system events for write operations placing executable script files into WordPress upload directories
- Inspect web server logs for sequences of multipart/form-data POSTs to plugin endpoints followed by direct GET requests to uploaded artifacts
- Apply WordPress integrity monitoring to flag new PHP files appearing outside of legitimate update windows
- Correlate authenticated administrative sessions with file creation events under wp-content/
Monitoring Recommendations
- Enable file integrity monitoring across the WordPress document root and uploads directory
- Forward web server, PHP-FPM, and WordPress audit logs to a centralized analytics platform for retention and search
- Alert on execution of php processes spawning shell interpreters or network utilities from web-writable paths
- Track plugin inventory and version data to identify hosts still running Auto Poster 1.2 or earlier
How to Mitigate CVE-2024-31345
Immediate Actions Required
- Deactivate and remove the Auto Poster plugin from all WordPress sites until a fixed release is confirmed available
- Audit the wp-content/uploads/ directory for unauthorized executable files and remove any identified web shells
- Rotate credentials for all WordPress administrator and editor accounts that had access to the affected sites
- Review recent administrative activity logs for unauthorized plugin installations, user creation, or content changes
Patch Information
No vendor patch is referenced in the available advisories beyond the Patchstack listing. The vulnerability is reported as affecting Auto Poster from initial release through version 1.2. Administrators should consult the Patchstack Vulnerability Advisory for the latest remediation status and remove the plugin if no fixed version is published.
Workarounds
- Restrict execution of PHP within the WordPress uploads directory by configuring the web server to deny script handlers in that path
- Limit administrative access to WordPress using IP allowlisting, multi-factor authentication, and least-privilege role assignment
- Deploy a web application firewall rule to block multipart uploads containing PHP signatures to plugin endpoints
- Remove the Auto Poster plugin entirely if its functionality is not required
# Example Apache configuration to block PHP execution in WordPress uploads
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.(php|phtml|phar|php[0-9])$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
