cbcvebase.
CVE-2020-24186
published 2020-08-24

CVE-2020-24186: A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any…

PriorityP188critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
94.53%
99.8th percentile
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.

Affected

1 ranges
VendorProductVersion rangeFixed in
gvectorswpdiscuz7.0 – 7.0.4

Detection & IOCsextracted from sources · hover to see the quote

  • The exploit extracts a wmuSecurity nonce from the page source (regex: wmuSecurity":"([a-z0-9]+)") before uploading. A GET request to a WordPress post page immediately followed by a POST to admin-ajax.php with wmuUploadFiles action from the same source IP is a strong indicator of exploitation.
  • Successful exploitation results in a PHP webshell uploaded under the WordPress uploads directory; the server response contains 'success":true' along with 'fullname', 'shortname', and 'url' fields pointing to the dropped shell.
  • Post-upload, the attacker interacts with the dropped webshell via GET requests appending ?cmd=<command> to the shell URL. Monitor for GET requests to wp-content upload paths with a 'cmd' query parameter.
  • The exploit sets the X-Requested-With: XMLHttpRequest header on the malicious POST. Combined with multipart/form-data content type and action=wmuUploadFiles, this header combination is a reliable detection signal.
  • The Metasploit module targets wpDiscuz versions >= 7.0.0 and <= 7.0.4. Presence of the plugin at /wp-content/plugins/wpdiscuz/ on an unpatched site (below 7.0.5) should be flagged.
  • ·The wmuSecurity nonce value is dynamic and extracted per-request from the target post page; it cannot be used as a static IOC but its extraction pattern (wmuSecurity":"([a-z0-9]+)") can be used in log/traffic analysis.
  • ·The uploaded PHP webshell filename is randomly generated (15 lowercase ASCII characters) in the Python PoC, so filename-based blocking alone is insufficient; content inspection for PHP code with GIF magic-byte prefix is required.
  • ·The vulnerability affects unauthenticated users; no authentication cookies or credentials are required, meaning WAF rules must cover unauthenticated POST requests to admin-ajax.php with the wmuUploadFiles action.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.