CVE-2021-24123 PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE

2021-03-1814:57:47

CWE-434

WPScan

www.cve.org

arbitrary file upload

powerpress

wordpress plugin

rce

cve-2021-24123

authenticated

file upload

EPSS

0.001

Percentile

44.4%

JSON

Arbitrary file upload in the PowerPress WordPress plugin, versions before 8.3.8, did not verify some of the uploaded feed images (such as the ones from Podcast Artwork section), allowing high privilege accounts (admin+) being able to upload arbitrary files, such as php, leading to RCE.

CNA Affected

[
  {
    "product": "PowerPress",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "8.3.8",
        "status": "affected",
        "version": "8.3.8",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/43aa30bf-eaf8-467a-93a1-78f9bdb37b36

EPSS

0.001

Percentile

44.4%

JSON

Related for CVELIST:CVE-2021-24123