CVE-2021-24223

N5 Upload Form <= 1.0 - Unauthenticated Arbitrary File Upload to RCE

EPSS 2.2%CWE-434

Vexday Risk Score

3Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS —EPSS 2.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

12 abr 2021Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5(uniqid(rand())), however, in the case of misconfigured servers with Directory listing enabled, accessing it is trivial.

Productos afectados

Unknown · N5 Upload Form

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/jinhuang1102/CVE-ID-Reports/blob/12863f80ced5361e2e2c3f7209566ab3730aa37b/N5_upload.md https://wpscan.com/vulnerability/d7a72183-0cd1-45de-b98b-2e295b27e5db