CVE-2021-24220

🗓️ 12 Apr 2021 14:03:12Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 4 Media mentions👁 56 Views🌐 WEB

Thrive WordPress themes before 2.0.0 allow remote code execution via crafted REST API requests

Reporter	Title	Published	Views	Family All 12
Circl	CVE-2021-24220	22 Oct 202518:12	–	circl
CNNVD	Wordpress插件代码问题漏洞	12 Apr 202100:00	–	cnnvd
Cvelist	CVE-2021-24220 All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion	12 Apr 202114:03	–	cvelist
EUVD	EUVD-2021-11134	7 Oct 202500:30	–	euvd
Nuclei	Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload	7 Jun 202603:02	–	nuclei
NVD	CVE-2021-24220	12 Apr 202114:15	–	nvd
OSV	CVE-2021-24220	12 Apr 202114:15	–	osv
Prion	Design/Logic Flaw	12 Apr 202114:15	–	prion
RedhatCVE	CVE-2021-24220	22 May 202521:05	–	redhatcve
VulnCheck KEV	VulnCheck KEV: CVE-2021-24220	24 Mar 202100:00	–	vulncheck_kev

NVD

Vulners

Node

thrivethemes focusblogRange<2.0.0wordpress_

thrivethemes ignitionRange<2.0.0wordpress

thrivethemes luxeRange<2.0.0wordpress

thrivethemes minusRange<2.0.0wordpress

thrivethemes performagRange<2.0.0wordpress

thrivethemes pressiveRange<2.0.0wordpress

thrivethemes riseRange<2.0.0wordpress

thrivethemes squaredRange<2.0.0wordpress

thrivethemes storiedRange<2.0.0wordpress

thrivethemes voiceRange<2.0.0wordpress

[
  {
    "product": "Rise by Thrive Themes",
    "vendor": "Thrive Themes",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Luxe by Thrive Themes",
    "vendor": "Thrive Themes",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Minus by Thrive Themes",
    "vendor": "Thrive Themes",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Ignition by Thrive Themes",
    "vendor": "Thrive Themes",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "FocusBlog by Thrive Themes",
    "vendor": "Thrive Themes",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Squared by Thrive Themes",
    "vendor": "Thrive Themes",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Voice",
    "vendor": "Thrive Themes",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Performag by Thrive Themes",
    "vendor": "Thrive Themes",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Pressive by Thrive Themes",
    "vendor": "Thrive Themes",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Storied by Thrive Themes",
    "vendor": "Thrive Themes",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wordfence	www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-thrive-themes-actively-exploited-in-the-wild
wpscan	www.wpscan.com/vulnerability/a2424354-2639-4f53-a24f-afc11f6c4cac

Parameter	Position	Path	Description	CWE
id	request body	/wp-json/thrive/kraken	REST endpoint misuse possible to fetch remote code and overwrite/create files via crafted request (CVE-2021-24220).	CWE-434
results	request body	/wp-json/thrive/kraken	REST endpoint misuse possible to fetch remote code and overwrite/create files via crafted request (CVE-2021-24220).	CWE-434
kraked_url	request body	/wp-json/thrive/kraken	REST endpoint misuse possible to fetch remote code and overwrite/create files via crafted request (CVE-2021-24220).	CWE-434

21 Nov 2024 05:52Current

9.2High risk

Vulners AI Score9.2

CVSS 26.4

CVSS 3.19.1

EPSS0.6379

CWE-434