CVE-2021-24123Unrestricted File Upload in Powerpress

CWE-434Unrestricted File Upload3 documents3 sources
Severity
7.2HIGHNVD
EPSS
0.9%
top 24.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Blubrry Powerpress
Timeline
PublishedMar 18
Latest updateMay 24

Description

Arbitrary file upload in the PowerPress WordPress plugin, versions before 8.3.8, did not verify some of the uploaded feed images (such as the ones from Podcast Artwork section), allowing high privilege accounts (admin+) being able to upload arbitrary files, such as php, leading to RCE.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

NVDblubrry/powerpress< 8.3.8

🔴Vulnerability Details

2
GHSA
GHSA-7cm9-xr5m-957v: Arbitrary file upload in the PowerPress WordPress plugin, versions before 82022-05-24
CVEList
PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE2021-03-18
CVE-2021-24123 — Unrestricted File Upload in Powerpress | cvebase