cbcvebase.
CVE-2021-24236
published 2021-05-06

CVE-2021-24236: The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.14%
93.5th percentile
The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type along with a PHP filename and code, leading to RCE.

Affected

2 ranges
VendorProductVersion rangeFixed in
imagements_projectimagements<= 1.2.5
williewonkaimagements1.2.5 – 1.2.5

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/imagements/images/
  • Unauthenticated file upload via comment submission: attacker sends a PHP file with a valid image Content-Type header. Detect multipart POST requests to the comment endpoint where Content-Type claims an image type but the uploaded filename has a .php (or similar executable) extension.
  • Monitor HTTP GET requests to /wp-content/plugins/imagements/images/ for PHP file execution — successful exploitation results in a web-accessible PHP shell under this path.
  • Look for multipart form-data POST requests containing the WebKit boundary 'WebKitFormBoundaryIYl2Oz8ptq5OMtbU' as a specific exploit-tool fingerprint in HTTP traffic.
  • ·The plugin only checks the Content-Type header (not the actual file content or extension) to block dangerous uploads, so any valid image MIME type (e.g. image/jpeg) paired with a .php filename bypasses the control entirely.
  • ·Exploitation requires no authentication — the vulnerable upload vector is exposed through the public comment submission form.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.