This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical Arbitrary File Upload flaw in the WordPress 'Auto Poster' plugin.β¦
π‘οΈ **Root Cause**: **CWE-434** (Unrestricted Upload of File with Dangerous Type). The plugin fails to validate file extensions or content, allowing dangerous file types to be uploaded directly to the server. β οΈ
Q3Who is affected? (Versions/Components)
π₯ **Affected**: WordPress Plugin **Auto Poster** by Sukhchain Singh. Specifically versions **<= 1.2**. π¦ If you are running this plugin, you are at risk.
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: With this upload, hackers gain **Full Control**. They can execute arbitrary PHP code, access sensitive database data, modify site content, and pivot to other internal systems. πΈοΈ
Q5Is exploitation threshold high? (Auth/Config)
π **Exploitation Threshold**: **Medium**. Requires **PR:H** (Privileges Required: High). The attacker needs valid WordPress credentials to access the plugin's upload functionality. It is not fully anonymous. π
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Public Exploit**: **YES**. A PoC is available on GitHub (`Chokopikkk/CVE-2024-31345_exploit`). Wild exploitation is likely as the mechanism is straightforward. π
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for the **Auto Poster** plugin version. Check if version is **1.2 or lower**. Look for unauthorized PHP files in the `wp-content/uploads` directory. π§
π§ **No Patch Workaround**: **Disable** the Auto Poster plugin immediately. If essential, restrict file upload permissions via `.htaccess` or WAF rules to block `.php` uploads. π
Q10Is it urgent? (Priority Suggestion)
β‘ **Urgency**: **CRITICAL**. CVSS Score is **9.8** (High). Due to easy exploit availability and high impact, patch or disable immediately. Do not wait. πββοΈ