CVE-2021-24254

College Publisher Import <= 0.1 - Arbitrary File Upload to RCE

EPSS 1.8%CWE-434

Vexday Risk Score

3Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS —EPSS 1.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

05 mai 2021Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be exploited via a CSRF attack.

Produtos afetados

Unknown · College publisher Import

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/College%20Puglisher%20Import.md https://wpscan.com/vulnerability/bb3e56dd-ae2e-45c2-a6c9-a59ae5fc1dc4