CVE-2024-31210Unrestricted File Upload in Wordpress Wordpress-develop

CWE-434Unrestricted File Upload6 documents5 sources
Severity
8.8HIGHNVD
CNA7.6
EPSS
0.9%
top 24.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Wordpress Wordpress-developWordpress
Timeline
PublishedApr 4
Latest updateApr 15

Description

WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is s

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDwordpress/wordpress4.24.2.37+23
CVEListV5wordpress/wordpress-develop< 4.1.40+23
Debianwordpress/wordpress< 5.7.11+dfsg1-0+deb11u1+3

🔴Vulnerability Details

2
OSV
CVE-2024-31210: WordPress is an open publishing platform for the Web2024-04-04
CVEList
PHP file upload bypass via Plugin installer2024-04-04

📋Vendor Advisories

1
Debian
CVE-2024-31210: wordpress - WordPress is an open publishing platform for the Web. It's possible for a file o...2024

🕵️Threat Intelligence

2
Qualys
WordPress RCE Vulnerability CVE-2024-31210 Puts Websites at Risk2024-04-15
Qualys
WordPress RCE Vulnerability: CVE-2024-31210 Alert | Qualys2024-04-15