Published: June 2024
What is CVE-2024-31211?
CVE-2024-31211 is a critical security flaw discovered in WordPress, the world’s most popular open publishing platform. This vulnerability allows attackers to execute arbitrary code on a server by exploiting the way certain objects are "unserialized" within the WordPress core, specifically through the WP_HTML_Token class. The issue lies in the magic PHP method __destruct() within this class.
> Important: Only WordPress versions 6.4. and 6.4.1 are affected. Versions prior to 6.4. are not vulnerable.
> It was fully patched with WordPress 6.4.2, released on December 6th, 2023.
How Does it Work? (Technical Overview)
Unserialization in PHP is a process of re-creating PHP objects from a stored string format. If this process is insecure, attackers can trick your application into running dangerous code.
Magic Method Involved: __destruct()
- Attack Vector: Crafted payloads are passed to WordPress so that when unserialization happens, arbitrary PHP code can be triggered.
Here’s what a simplified vulnerable flow looks like
// Example (simplified - do not use in production):
if (isset($_POST['data'])) {
// Potentially unsafe unserialization
$obj = unserialize($_POST['data']);
}
If an attacker sends a specially crafted serialized object that uses the WP_HTML_Token class, the destructor could be coerced to execute code or manipulate the environment dangerously.
Here’s a stylized look at the problematic section
class WP_HTML_Token {
// ... other methods/properties ...
public function __destruct() {
// Vulnerable if $this->data is user-controlled!
eval($this->data);
}
}
// This part is dangerous if user input is not validated:
$user_payload = $_POST['token'];
$object = unserialize($user_payload); // Triggers __destruct() eventually!
> Warning: The above is for educational purposes. In reality, the actual code is more complex, but the exploit relies on unsafe combination of unserialize() and methods like eval() or other execution contexts.
Attackers commonly exploit this by
1. Sending a crafted payload: The attacker sends a serialized WP_HTML_Token object with malicious properties set (such as code in $this->data).
2. Triggering the magic method: When the object is destroyed, the __destruct() method is called and executes attacker-chosen code.
Here is a basic serialized payload (conceptual only)
O:14:"WP_HTML_Token":1:{s:4:"data";s:30:"system('id > /tmp/pwned.txt');";}
If this object is unserialized by vulnerable code, the __destruct() method runs system('id > /tmp/pwned.txt'); on the target server.
Hardening how objects are managed in core code.
Reference:
- WordPress 6.4.2 Security Release Notes
- CVE Record for CVE-2024-31211
- WordPress WP_HTML_Token class changelog
Severity: If exploited, attackers can gain control of your server.
- Risk: Anyone running WordPress 6.4. or 6.4.1 and allowing untrusted data through unserialize() is at risk.
- Attack Surface: Especially problematic on sites with user uploads, plugins, or themes that use unserialize().
Update Your WordPress NOW:
Make sure you are running WordPress 6.4.2 or higher. This is the only way to guarantee safety from this vulnerability.
Conclusion
CVE-2024-31211 is yet another wake-up call for website owners and developers: always update your WordPress sites, audit your plugins and themes, and never unserialize data from users! Unpatched, this vulnerability can put your whole server at risk of remote code execution and compromise.
References
- WordPress 6.4.2 Security Release
- CVE-2024-31211 Details (MITRE)
- Exploit Example Write-up
- Technical Changeset
Stay updated. Stay secure.
If you believe your site was exploited via this issue, change FTP/DB passwords and scan for backdoors immediately.
Timeline
Published on: 04/04/2024 23:15:16 UTC
Last modified on: 06/04/2024 17:36:13 UTC