cbcvebase.
CVE-2021-24284
published 2021-05-14

CVE-2021-24284: The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.14%
98.5th percentile
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.

Affected

2 ranges
VendorProductVersion rangeFixed in
kaswara_projectkaswara<= 3.0.1
sayenthemeskaswara_modern_vc_addons3.0.1 – 3.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=uploadFontIcon
path/wp-content/uploads/kaswara/fonts_icon/
commanduploadFontIcon
bytes
504B03040A0000000000FA73F454B2333E07140000001400000006001C00
  • Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the query parameter action=uploadFontIcon, especially from unauthenticated sessions.
  • Alert on multipart form-data uploads containing a field named 'fonticonzipfile' paired with a 'fontsetname' field, as this is the exploit's upload mechanism.
  • Monitor the wp-content/uploads/kaswara/fonts_icon/ directory for newly created PHP files, which would indicate successful exploitation and webshell placement.
  • Successful exploitation is confirmed when the response body for the upload contains the string 'wp-content/uploads/kaswara/fonts_icon/' followed by a subdirectory path and 'style.css', indicating the zip was extracted.
  • The exploit crafts a ZIP file containing a PHP webshell using a specific byte sequence (PK header magic bytes); network signatures should match multipart uploads to admin-ajax.php containing ZIP magic bytes (PK\x03\x04) in the body.
  • ·The PHP filename within the malicious ZIP is randomized (rand_text_alpha) at runtime, so file-name-based detection alone is insufficient; focus on the upload path and PHP file presence in the fonts_icon directory.
  • ·The ZIP filename (fontsetname) is also randomized, meaning the extracted subdirectory under fonts_icon will vary per attack; wildcard or directory-level monitoring is required.
  • ·The vulnerability affects Kaswara Modern VC Addons through version 3.0.1; no patched version was released and users were advised to remove the plugin entirely.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.