CVE-2021-24284
published 2021-05-14CVE-2021-24284: The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.14%
98.5th percentile
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaswara_project | kaswara | <= 3.0.1 | — |
| sayenthemes | kaswara_modern_vc_addons | 3.0.1 – 3.0.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes
504B03040A0000000000FA73F454B2333E07140000001400000006001C00
- →Detect exploit attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the query parameter action=uploadFontIcon, especially from unauthenticated sessions.
- →Alert on multipart form-data uploads containing a field named 'fonticonzipfile' paired with a 'fontsetname' field, as this is the exploit's upload mechanism.
- →Monitor the wp-content/uploads/kaswara/fonts_icon/ directory for newly created PHP files, which would indicate successful exploitation and webshell placement.
- →Successful exploitation is confirmed when the response body for the upload contains the string 'wp-content/uploads/kaswara/fonts_icon/' followed by a subdirectory path and 'style.css', indicating the zip was extracted.
- →The exploit crafts a ZIP file containing a PHP webshell using a specific byte sequence (PK header magic bytes); network signatures should match multipart uploads to admin-ajax.php containing ZIP magic bytes (PK\x03\x04) in the body.
- ·The PHP filename within the malicious ZIP is randomized (rand_text_alpha) at runtime, so file-name-based detection alone is insufficient; focus on the upload path and PHP file presence in the fonts_icon directory.
- ·The ZIP filename (fontsetname) is also randomized, meaning the extracted subdirectory under fonts_icon will vary per attack; wildcard or directory-level monitoring is required.
- ·The vulnerability affects Kaswara Modern VC Addons through version 3.0.1; no patched version was released and users were advised to remove the plugin entirely.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wqvg-8q49-hjc7: The Kaswara Modern VC Addons WordPress plugin through 3
ghsa_unreviewed·2022-05-24
CVE-2021-24284 [CRITICAL] CWE-434 GHSA-wqvg-8q49-hjc7: The Kaswara Modern VC Addons WordPress plugin through 3
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
VulnCheck
kaswara_project kaswara Unrestricted Upload of File with Dangerous Type
vulncheck·2021·CVSS 9.8
CVE-2021-24284 [CRITICAL] kaswara_project kaswara Unrestricted Upload of File with Dangerous Type
kaswara_project kaswara Unrestricted Upload of File with Dangerous Type
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
Affected: kaswara_project kaswara
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-24&host_type=src&vulnerability=cve-2021-24284; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-01&host_
No detection rules found.
Nuclei
WordPress Kaswara Modern VC Addons <=3.0.1 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2021-24284 [CRITICAL] WordPress Kaswara Modern VC Addons <=3.0.1 - Arbitrary File Upload
WordPress Kaswara Modern VC Addons =3.0.2) to mitigate this vulnerability.
reference:
- https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
- https://github.com/advisories/GHSA-wqvg-8q49-hjc7
- https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/
- https://www.waltermairena.net/en/2021/04/25/0-day-vulnerability-in-the-plugin-kaswara-modern-vc-addons-plugin-what-can-i-do/
- https://lifeinhex.com/kaswara-exploit-or-how-much-wordfence-cares-about-user-security/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24284
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24284
cwe-id: CWE-434
epss-score: 0.67997
epss-percentile: 0.98597
cpe: cpe:2.3:a:kaswara_project:ka
http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.htmlhttps://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.htmlhttps://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
2021-05-14
Published
Exploited in the wild