CVE-2021-24620
Simple eCommerce <= 2.2.5 - Arbitrary File Upload
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
13 Sep 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE
Affected products
Unknown · WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through PaypalWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →