CVE-2021-24252

Event Banner <= 1.3 - Arbitrary File Upload to RCE

EPSS 1.7%CWE-434

Vexday Risk Score

3Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS —EPSS 1.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

05 may 2021Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)

Productos afectados

Unknown · Event Banner

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c