CVE-2021-24253

🗓️ 05 May 2021 18:39:43Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 46 Views🌐 WEB

The Classyfrieds WordPress plugin through 3.8 allows authenticated users to upload arbitrary PHP files, leading to RCE

Reporter	Title	Published	Views	Family All 10
CNNVD	WordPress 代码问题漏洞	6 May 202100:00	–	cnnvd
CNVD	WordPress Classyfrieds Plugin Remote Code Execution Vulnerability	14 May 202100:00	–	cnvd
Cvelist	CVE-2021-24253 Classyfrieds <= 3.8 - Authenticated Arbitrary File Upload to RCE	5 May 202118:39	–	cvelist
EUVD	EUVD-2021-11167	7 Oct 202500:30	–	euvd
NVD	CVE-2021-24253	6 May 202113:15	–	nvd
Patchstack	WordPress Classyfrieds plugin <= 3.8 - Authenticated Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)	10 Apr 202100:00	–	patchstack
Prion	Cross site request forgery (csrf)	6 May 202113:15	–	prion
RedhatCVE	CVE-2021-24253	22 May 202519:21	–	redhatcve
wpexploit	Classyfrieds <= 3.8 - Authenticated Arbitrary File Upload to RCE	10 Apr 202100:00	–	wpexploit
WPVulnDB	Classyfrieds <= 3.8 - Authenticated Arbitrary File Upload to RCE	10 Apr 202100:00	–	wpvulndb

NVD

Vulners

Node

classyfrieds_project classyfriedsRange≤3.8wordpress

[
  {
    "product": "Classyfrieds",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "3.8",
        "status": "affected",
        "version": "3.8",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079
github	www.github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md

Parameter	Position	Path	Description	CWE
foto	nested	/add_a_listing/	Authenticated user can upload a PHP file through multipart/form-data in Add Listing, bypassing proper file type checks, enabling remote code execution.	CWE-434

21 Nov 2024 05:52Current

8.7High risk

Vulners AI Score8.7

CVSS 26.5

CVSS 3.18.8

EPSS0.01964

CWE-434