CVE-2024-54370 Overview
CVE-2024-54370 is an arbitrary file upload vulnerability in the SuitePlugins Video & Photo Gallery for Ultimate Member WordPress plugin. The flaw affects all plugin versions up to and including 1.1.0. Authenticated attackers with low privileges can upload files of dangerous types, including PHP web shells, to the WordPress web server. Successful exploitation grants attackers code execution in the context of the web server process. The issue is tracked under CWE-434: Unrestricted Upload of File with Dangerous Type.
Critical Impact
Authenticated low-privilege users can upload web shells, leading to full site compromise, data theft, and lateral movement across hosted WordPress environments.
Affected Products
- SuitePlugins Video & Photo Gallery for Ultimate Member (gallery-for-ultimate-member) — all versions through 1.1.0
- WordPress sites running the Ultimate Member plugin ecosystem with this gallery extension installed
- Shared hosting and multisite WordPress deployments using vulnerable plugin versions
Discovery Timeline
- 2024-12-16 - CVE-2024-54370 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2024-54370
Vulnerability Analysis
The vulnerability resides in the file upload handler exposed by the Video & Photo Gallery for Ultimate Member plugin. The handler accepts media submissions from authenticated users but fails to enforce a restrictive allowlist of file types or to validate the actual file content. An attacker submits a file with a PHP extension or polyglot payload through the gallery upload endpoint. The plugin writes the file to a web-accessible location under the WordPress uploads directory. The attacker then requests the uploaded file directly, causing the PHP interpreter to execute the embedded code.
The scope-changed CVSS metric reflects the impact extending beyond the plugin context to the entire WordPress installation and underlying host. EPSS data places this issue near the 80th percentile, indicating elevated likelihood of exploitation attempts against exposed sites.
Root Cause
The root cause is missing validation of uploaded file extensions, MIME types, and magic bytes in the gallery upload routine. The plugin trusts client-supplied metadata and does not restrict server-side handlers from interpreting uploaded files as executable PHP.
Attack Vector
The attack requires network access and a low-privileged authenticated account, such as a subscriber or member registered through Ultimate Member. The attacker authenticates, navigates to the gallery upload feature, submits a crafted PHP file, and retrieves its URL. Requesting the URL triggers code execution under the web server user. See the Patchstack advisory for technical details.
// No verified exploit code available - see vendor advisory for technical details
Detection Methods for CVE-2024-54370
Indicators of Compromise
- New PHP files, .phtml files, or files with double extensions (e.g., image.jpg.php) written under wp-content/uploads/ paths associated with the gallery plugin
- Outbound network connections originating from the web server PHP process to attacker-controlled infrastructure
- Unexpected WordPress administrator accounts or modifications to wp-config.php and core files following gallery upload activity
- Web server access logs showing direct GET requests to uploaded files with non-image extensions
Detection Strategies
- Monitor file system events in WordPress upload directories for newly created files with executable extensions
- Inspect HTTP POST requests to plugin upload endpoints for filenames containing .php, .phar, .phtml, or null-byte sequences
- Correlate authenticated user upload activity with subsequent direct requests to the same file paths
- Run integrity checks against installed plugin files and compare hashes to known-good versions
Monitoring Recommendations
- Centralize WordPress, PHP-FPM, and web server logs in a SIEM and alert on PHP execution from upload directories
- Enable file integrity monitoring on wp-content/uploads/ and wp-content/plugins/gallery-for-ultimate-member/
- Track creation of new admin users and changes to user role capabilities in the WordPress database
- Review reverse proxy or WAF logs for upload requests carrying suspicious MIME types or oversized payloads
How to Mitigate CVE-2024-54370
Immediate Actions Required
- Disable or remove the Video & Photo Gallery for Ultimate Member plugin until a fixed version is confirmed installed
- Audit wp-content/uploads/ for unauthorized PHP files and remove any web shells discovered
- Rotate all WordPress administrator and database credentials, plus any API keys stored in wp-config.php
- Review user registrations created since plugin installation and remove suspicious low-privilege accounts
Patch Information
No patched version is listed in the NVD record at the time of writing. Site operators should consult the Patchstack advisory and the plugin vendor for an updated release beyond version 1.1.0.
Workarounds
- Block PHP execution inside wp-content/uploads/ using web server configuration directives
- Deploy a WordPress-aware Web Application Firewall rule that blocks uploads containing PHP extensions or executable magic bytes
- Restrict gallery upload capabilities to trusted user roles only by adjusting Ultimate Member role permissions
- Disable open user registration on the affected WordPress site to limit the pool of low-privileged accounts
# Apache: prevent PHP execution in WordPress uploads directory
# Place the following in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|phar|php3|php4|php5|php7|phps)$">
Require all denied
</FilesMatch>
# Nginx equivalent in server block:
# location ~* /wp-content/uploads/.*\.(php|phtml|phar)$ {
# deny all;
# return 403;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
