CVE-2021-24236
published 2021-05-06CVE-2021-24236: The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.14%
93.5th percentile
The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type along with a PHP filename and code, leading to RCE.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| imagements_project | imagements | <= 1.2.5 | — |
| williewonka | imagements | 1.2.5 – 1.2.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/plugins/imagements/images/
- →Unauthenticated file upload via comment submission: attacker sends a PHP file with a valid image Content-Type header. Detect multipart POST requests to the comment endpoint where Content-Type claims an image type but the uploaded filename has a .php (or similar executable) extension. ↗
- →Monitor HTTP GET requests to /wp-content/plugins/imagements/images/ for PHP file execution — successful exploitation results in a web-accessible PHP shell under this path.
- →Look for multipart form-data POST requests containing the WebKit boundary 'WebKitFormBoundaryIYl2Oz8ptq5OMtbU' as a specific exploit-tool fingerprint in HTTP traffic.
- ·The plugin only checks the Content-Type header (not the actual file content or extension) to block dangerous uploads, so any valid image MIME type (e.g. image/jpeg) paired with a .php filename bypasses the control entirely. ↗
- ·Exploitation requires no authentication — the vulnerable upload vector is exposed through the public comment submission form. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Imagements <=1.2.5 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2021-24236 [CRITICAL] WordPress Imagements <=1.2.5 - Arbitrary File Upload
WordPress Imagements
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="submit"
Post Comment
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="comment_post_ID"
{{post}}
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
Content-Disposition: form-data; name="comment_parent"
0
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU--
- |
GET /wp-content/plugins/imagements/images/{{php}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body_2
words:
- '{{md5(string)}}'
# digest: 4a0a0047304502203f53e84edcdf321512ae43cf2d2359f1bc1b3c8ad71d9bc0f77f6249906b8b4a022100ce9872c16602580c58821be437b4f1a7b4ee23e17a07dfba4017e80b6ea9e55a:922c64590222798bb761d5b6d8e72950
2021-05-06
Published