CVE-2024-31210: 
WordPress vulnerability analysis and mitigation

WordPress, an open publishing platform for the Web, was found to contain a vulnerability (CVE-2024-31210) that allows administrative users to bypass file upload restrictions in the plugin installation process. The vulnerability was discovered and disclosed in January 2024, affecting WordPress versions from 4.1 through 6.4.2. This security issue specifically impacts Administrator level users on single site installations and Super Admin level users on Multisite installations (GitHub Advisory).

The vulnerability stems from improper file type validation in the Plugins -> Add New -> Upload Plugin screen. When FTP credentials are requested for installation, a non-zip file can be uploaded and remains temporarily available in the Media Library despite being disallowed. This becomes particularly dangerous when combined with the DISALLOWFILEEDIT constant set to true and FTP credentials are required, as it enables potential Remote Code Execution (RCE) capabilities. The vulnerability has been assigned a CVSS v3.1 score of 7.6 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H (ZDI Advisory).

The vulnerability enables potential Remote Code Execution (RCE) in scenarios where users would normally have no means of executing arbitrary PHP code. This is particularly significant in environments where security restrictions are in place through the DISALLOWFILEEDIT constant. The impact is limited to high-privilege users (Administrators and Super Admins) and specific server configurations requiring FTP credentials (GitHub Advisory).

The vulnerability was patched in WordPress 6.4.3 on January 30, 2024, with backported fixes to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, and many earlier versions down to 4.1.40. As a workaround, administrators can define the DISALLOWFILEMODS constant as true, which prevents any user from uploading plugins, effectively mitigating the vulnerability (GitHub Advisory).