CVE-2021-24347
published 2021-06-14CVE-2021-24347: The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar…
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
52.01%
98.8th percentile
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartypantsplugins | sp_project_document_manager | < 4.22 | 4.22 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect PHP webshell upload bypass via mixed-case file extension (e.g., .pHP, .Php, .PHp) in multipart upload requests to the SP Project & Document Manager plugin endpoint. ↗
- →Monitor POST requests to wp-admin/admin.php?page=sp-client-document-manager-fileview for multipart uploads containing filenames with mixed-case PHP extensions (.pHP, .Php, etc.). ↗
- →Alert on HTTP GET requests to /wp-content/uploads/sp-client-document-manager/ for files with mixed-case .pHP (or similar) extensions returning HTTP 200 with Content-Type text/html, indicating successful webshell execution. ↗
- →The exploit uses the p0wny-shell web shell payload; look for its characteristic HTML title string 'p0wny@shell:~#' in responses from the uploads directory. ↗
- →Detect the multipart form-data boundary '37032792112149247252673711332' in POST request bodies as a static exploit artifact. ↗
- →The Metasploit module targets the same upload endpoint; monitor for authenticated reverse shell activity originating from the wp-content/uploads/sp-client-document-manager/ directory. ↗
- ·Exploitation requires an authenticated WordPress user account; unauthenticated exploitation is not possible with this vulnerability alone. ↗
- ·The vulnerability is fixed in version 4.22 and later; only plugin versions before 4.22 are affected. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2021-07-08·CVSS 8.8
CVE-2021-24347 [HIGH] Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
# Date 07.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://smartypantsplugins.com/
# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.4.21.zip
# Version: Before 4.22
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24347
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24347/README.md
'''
Description:
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however,
the plugin attempts to prevent php and other similar files that could
Metasploit
Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution
metasploit
Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution
Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution
This module allows an attacker with a privileged Wordpress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin SP Project & Document /.php`
Nuclei
WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
nuclei·CVSS 8.8
CVE-2021-24347 [HIGH] WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload
WordPress SP Project & Document Manager
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="dlg-upload-notes"
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy
Content-Disposition: form-data; name="sp-cdm-community-upload"
Upload
------WebKitFormBoundaryaeBrxrKJzAF0Tgfy--
- |
GET /wp-content/uploads/sp-client-document-manager/1/{{to_lower("{{randstr}}.pHP")}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(header_4, "text/html")
- status_code_4 == 200
- contains(body_4, "CVE-2021-24347")
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- name="cdm_upload_file_field" value="([0-9a-zA-Z]+)"
internal: true
# digest: 490a0046304402201bb65d04f7369d3fa14e97cea7862fe8d82bc6aad9b1e7a21789b6b43dc710cf02203cf14850e4
No writeups or analysis indexed.
http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-Remote-Code-Execution.htmlhttps://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45ahttp://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-Remote-Code-Execution.htmlhttps://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a
2021-06-14
Published