CVE-2024-31351 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-31351?

CVE-2024-31351 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites running the Copymatic plugin. Attackers can upload malicious files like PHP shells to gain full control of affected websites. All WordPress sites using Copymatic versions up to 1.6 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites running the Copymatic plugin. Attackers can upload malicious files like PHP shells to gain full control of affected websites. All WordPress sites using Copymatic versions up to 1.6 are affected.

💻 Affected Systems

Products:

Copymatic – AI Content Writer & Generator WordPress plugin

Versions: n/a through 1.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version, regardless of configuration.

📦 What is this software?

Copymatic by Copymatic

View all CVEs affecting Copymatic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, or use as part of a botnet.

🟠

Likely Case

Website defacement, malware distribution, credential theft, and backdoor installation.

🟢

If Mitigated

Limited impact if file execution is prevented through proper web server configuration.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and the exploit requires no authentication.

🏢 Internal Only: LOW - This primarily affects public-facing WordPress installations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available on Patchstack. Simple HTTP requests can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/copymatic/wordpress-copymatic-plugin-1-6-unauthenticated-arbitrary-file-upload-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Copymatic plugin. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin immediately.

🔧 Temporary Workarounds

Disable plugin

all

Deactivate the Copymatic plugin to prevent exploitation

wp plugin deactivate copymatic

Restrict upload directory execution

linux

Prevent PHP execution in upload directories

Add 'php_flag engine off' to .htaccess in wp-content/uploads/ directory

🧯 If You Can't Patch

Immediately deactivate and remove the Copymatic plugin from all WordPress sites
Implement web application firewall rules to block file upload requests to vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Copymatic version ≤1.6

Check Version:

wp plugin get copymatic --field=version

Verify Fix Applied:

Verify plugin version is ≥1.7 or plugin is completely removed

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-content/plugins/copymatic/upload.php with file uploads
Unexpected PHP file creation in upload directories

Network Indicators:

HTTP POST requests with file uploads to Copymatic plugin endpoints
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND uri="/wp-content/plugins/copymatic/*" AND method="POST" AND file_upload="true"

📊 Metadata

CVE ID: CVE-2024-31351

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: May 17, 2024

Last Updated: April 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31351, you might also want to check these: