CVE-2024-31210 – PHP file upload bypass via Plugin installer

https://notcve.org/view.php?id=CVE-2024-31210

04 Apr 2024 — WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true`... • https://github.com/Abo5/CVE-2024-31210 • CWE-434: Unrestricted Upload of File with Dangerous Type •