cbcvebase.
CVE-2021-24212
published 2021-04-05

CVE-2021-24212: The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.91%
94.0th percentile
The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp.

Affected

1 ranges
VendorProductVersion rangeFixed in
woocommercehelp_scout< 2.9.12.9.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=wc_help_scout_upload_attachments
path/wp-content/uploads/hstmp/
path/wp-content/plugins/woocommerce-help-scout
  • Detect unauthenticated POST requests to the WordPress AJAX endpoint with the action parameter set to 'wc_help_scout_upload_attachments', which triggers the arbitrary file upload vulnerability.
  • Monitor for newly created files (especially .php files) under the wp-content/uploads/hstmp/ directory, which is the default drop location for uploaded files exploiting this vulnerability.
  • Confirm exploitation by issuing a GET request to /wp-content/uploads/hstmp/<uploaded_filename> and checking for a 200 HTTP response, indicating the uploaded file is web-accessible and potentially executable.
  • Fingerprint vulnerable installations by searching for the string '/wp-content/plugins/woocommerce-help-scout' in HTTP response bodies (FOFA/Shodan-style passive detection).
  • The exploit uses a multipart/form-data POST with a field named 'file' containing a PHP payload; inspect Content-Type and form-data field names in requests to the AJAX endpoint.
  • ·The vulnerability affects WooCommerce Help Scout plugin versions before 2.9.1 only; patched installations (2.9.1+) are not affected.
  • ·The Nuclei template is marked 'verified: false', meaning the detection logic has not been confirmed against a live vulnerable instance and may produce false positives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.