CVE-2024-31210

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 6.4.3 WordPress versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40

Description The issue allows an administrative user to submit a file of a type other than a zip file as a new plugin, potentially leading to remote code execution (RCE) if the DISALLOW FILE EDIT constant is set to true and FTP credentials are required. This affects Administrator level users on single site installations and Super Admin level users on Multisite installations. The issue does not affect lower level users or sites where the DISALLOW FILE MODS constant is set to true.

Recommendations Update to WordPress version 6.4.3 or later. For versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40, update to the respective backported version. As a temporary workaround, consider defining the DISALLOW FILE MODS constant as true to prevent plugin uploads.