CVE-2020-24186
published 2020-08-24CVE-2020-24186: A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any…
PriorityP188critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
94.53%
99.8th percentile
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gvectors | wpdiscuz | 7.0 – 7.0.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit extracts a wmuSecurity nonce from the page source (regex: wmuSecurity":"([a-z0-9]+)") before uploading. A GET request to a WordPress post page immediately followed by a POST to admin-ajax.php with wmuUploadFiles action from the same source IP is a strong indicator of exploitation. ↗
- →Successful exploitation results in a PHP webshell uploaded under the WordPress uploads directory; the server response contains 'success":true' along with 'fullname', 'shortname', and 'url' fields pointing to the dropped shell. ↗
- →Post-upload, the attacker interacts with the dropped webshell via GET requests appending ?cmd=<command> to the shell URL. Monitor for GET requests to wp-content upload paths with a 'cmd' query parameter. ↗
- →The exploit sets the X-Requested-With: XMLHttpRequest header on the malicious POST. Combined with multipart/form-data content type and action=wmuUploadFiles, this header combination is a reliable detection signal. ↗
- →The Metasploit module targets wpDiscuz versions >= 7.0.0 and <= 7.0.4. Presence of the plugin at /wp-content/plugins/wpdiscuz/ on an unpatched site (below 7.0.5) should be flagged. ↗
- ·The wmuSecurity nonce value is dynamic and extracted per-request from the target post page; it cannot be used as a static IOC but its extraction pattern (wmuSecurity":"([a-z0-9]+)") can be used in log/traffic analysis. ↗
- ·The uploaded PHP webshell filename is randomly generated (15 lowercase ASCII characters) in the Python PoC, so filename-based blocking alone is insufficient; content inspection for PHP code with GIF magic-byte prefix is required. ↗
- ·The vulnerability affects unauthenticated users; no authentication cookies or credentials are required, meaning WAF rules must cover unauthenticated POST requests to admin-ajax.php with the wmuUploadFiles action. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)
exploitdb·2021-06-08·CVSS 10.0
CVE-2020-24186 [CRITICAL] WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)
WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)
---
# Exploit Title: WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)
# Date: 2021/06/08
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://gvectors.com/
# Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip
# Version: wpDiscuz 7.0.4
# Tested on: Debian9, Windows 7, Windows 10 (Wordpress 5.7.2)
# CVE : CVE-2020-24186
# Thanks for the great contribution to the code: Z3roC00l (https://twitter.com/zeroc00I)
#!/bin/python3
import requests
import optparse
import re
import random
import time
import string
import json
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://192.168.1.81/blog")
pa
Exploit-DB
Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)
exploitdb·2021-06-07·CVSS 10.0
CVE-2020-24186 [CRITICAL] Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)
Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)
---
# Exploit Title: Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)
# Google Dork: inurl:/wp-content/plugins/wpdiscuz/
# Date: 2021-06-06
# Original Author: Chloe Chamberland
# Exploit Author: Juampa Rodríguez aka UnD3sc0n0c1d0
# Vendor Homepage: https://gvectors.com/
# Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip
# Version: 7.0.4
# Tested on: Ubuntu / WordPress 5.6.2
# CVE : CVE-2020-24186
#!/bin/bash
if [ -z $1 ]
then
echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n"
exit 0
elif [ -z $2 ]
then
echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n"
exit 0
else
post=$(curl -sI http://$1$2/ | head -n1)
if [[ "$post" == *"20
Metasploit
WordPress wpDiscuz Unauthenticated File Upload Vulnerability
metasploit
WordPress wpDiscuz Unauthenticated File Upload Vulnerability
WordPress wpDiscuz Unauthenticated File Upload Vulnerability
This module exploits an arbitrary file upload in the WordPress wpDiscuz plugin versions >= `7.0.0` and <= `7.0.4`. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
Nuclei
WordPress wpDiscuz <=7.0.4 - Remote Code Execution
nuclei·CVSS 10.0
CVE-2020-24186 [CRITICAL] WordPress wpDiscuz <=7.0.4 - Remote Code Execution
WordPress wpDiscuz =7.0.5) to mitigate this vulnerability.
reference:
- https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-24186
- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
- http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2020-24186
cwe-id: CWE-434
epss-score: 0.94213
epss-percentile: 0.99922
cpe: cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
vendor: gvectors
product: wpdiscuz
framework: wordpress
tags: cve,cve2020,rce,fileupl
arXiv
Maintainable Log Datasets for Evaluation of Intrusion Detection Systems
arxiv_fulltext·2022-03-16
Maintainable Log Datasets for Evaluation of Intrusion Detection Systems
## Abstract
Intrusion detection systems (IDS) monitor system logs and network traffic to recognize malicious activities in computer networks. Evaluating and comparing IDSs with respect to their detection accuracies is thereby essential for their selection in specific use-cases. Despite a great need, hardly any labeled intrusion detection datasets are publicly available. As a consequence, evaluations are often carried out on datasets from real infrastructures, where analysts cannot control system parameters or generate a reliable ground truth, or private datasets that prevent reproducibility of results. As a solution, we present a collection of maintainable log datasets collected in a testbed representing a small enterprise. Thereby, we employ extensive state machines to simulate normal us
Greynoiseio
NoiseLetter January 2026
blogs_greynoiseio
NoiseLetter January 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163012/WordPress-wpDiscuz-7.0.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163302/WordPress-wpDiscuz-7.0.4-Shell-Upload.htmlhttps://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163012/WordPress-wpDiscuz-7.0.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/163302/WordPress-wpDiscuz-7.0.4-Shell-Upload.htmlhttps://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
2020-08-24
Published