CVE-2021-24499
published 2021-08-09CVE-2021-24499: The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
60.11%
99.0th percentile
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amentotech | workreap | < 2.2.2 | 2.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
POST /wp-admin/admin-ajax.php with action=workreap_award_temp_file_uploader and multipart upload of .php file
- →Monitor POST requests to /wp-admin/admin-ajax.php with the 'action' parameter set to 'workreap_award_temp_file_uploader' or 'workreap_temp_file_uploader', especially when the request is unauthenticated (no valid nonce or session cookie). ↗
- →Alert on the creation of PHP files (*.php) under the /wp-content/uploads/workreap-temp/ directory, as this is the upload destination for exploited files. ↗
- →Detect GET requests to /wp-content/uploads/workreap-temp/*.php, which indicate execution of an uploaded webshell. ↗
- →Look for multipart/form-data POST requests to admin-ajax.php where the uploaded file has Content-Type: application/x-httpd-php, indicating a PHP webshell upload attempt. ↗
- →A successful upload returns a JSON response containing '{"type":"success",' — monitor for this response pattern on admin-ajax.php POST requests from unauthenticated users. ↗
- →Webshell commands are passed via the 'c' query parameter to the uploaded PHP file; detect GET requests matching /wp-content/uploads/workreap-temp/*.php?c= ↗
- ·The vulnerability affects Workreap WordPress theme versions before 2.2.2; version 2.2.2 and later include the fix. Ensure the theme version is confirmed before testing or deploying detections. ↗
- ·The exploit requires no authentication whatsoever — no session, no nonce — making it exploitable by any unauthenticated visitor. WAF rules should not assume authentication context. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r7ww-r6jj-2jrh: The Workreap WordPress theme before 2
ghsa_unreviewed·2022-05-24
CVE-2021-24499 [CRITICAL] CWE-434 GHSA-r7ww-r6jj-2jrh: The Workreap WordPress theme before 2
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
VulnCheck
amentotech workreap Unrestricted Upload of File with Dangerous Type
vulncheck·2021·CVSS 9.8
CVE-2021-24499 [CRITICAL] amentotech workreap Unrestricted Upload of File with Dangerous Type
amentotech workreap Unrestricted Upload of File with Dangerous Type
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
Affected: amentotech workreap
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attacks-trends-august-octo
No detection rules found.
Exploit-DB
WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
exploitdb·2023-06-09·CVSS 9.8
CVE-2021-24499 [CRITICAL] WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
---
# Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
# Dork: inurl:/wp-content/themes/workreap/
# Date: 2023-06-01
# Category : Webapps
# Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454
# Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l)
# Version: 2.2.2
# Tested on: Windows/Linux
# CVE: CVE-2021-24499
import requests
import random
import string
import sys
def usage():
banner = '''
NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
usage: python3 Workreap_rce.py
example for linux : python3 Workreap_rce.py https://www.exploit-db.com
example f
Nuclei
WordPress Workreap - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-24499 [CRITICAL] WordPress Workreap - Remote Code Execution
WordPress Workreap - Remote Code Execution
WordPress Workreap theme is susceptible to remote code execution. The AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
Template:
id: CVE-2021-24499
info:
name: WordPress Workreap - Remote Code Execution
author: daffainfo
severity: critical
description: WordPress Workreap theme is susceptible to remote code execution. The AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uplo
Unit42
Network Security Trends: August-October 2021
blogs_unit42·2021-12-21·CVSS 9.8
[CRITICAL] Network Security Trends: August-October 2021
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from August-October 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, say, cross-site scripting or denial of service.
Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. For example, we chart a timeframe showing how frequently the most commonly exploited vulnerabilities were attacked through networks and the locations from which the att
Unit42
Network Security Trends: August-October 2021
blogs_unit42·2021-12-21·CVSS 9.8
CVE-2021-24499 [CRITICAL] Network Security Trends: August-October 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: August-October 2021
Yue Guan
Published: December 21, 2021
Trend Reports
Vulnerabilities
Attack analysis
Buffer Overflow
Command injection
Cross-site request forgery
Cross-site scripting
CVE-2021-24499
CVE-2021-26084
CVE-2021-32789
CVE-2021-33357
CVE-2021-33766
CVE-2021-34473
CVE-2021-35395
CVE-2021-38647
CVE-2021-40438
CVE-2021-40870
CVE-2021-41773
CVE-2021-42013
Denial of service
Directory traversal
Exploit in the wild
Improper authentication
Information disclosure
Memory corruption
Network security trends
Out-of-bounds read
Privilege escalation
Remote Code Execution
Security feature bypass
SQL injection
## Executive Summary
Unit 42 researchers continually observe net
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/172876/WordPress-Workreap-2.2.2-Shell-Upload.htmlhttps://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/https://wpscan.com/vulnerability/74611d5f-afba-42ae-bc19-777cdf2808cbhttp://packetstormsecurity.com/files/172876/WordPress-Workreap-2.2.2-Shell-Upload.htmlhttps://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/https://wpscan.com/vulnerability/74611d5f-afba-42ae-bc19-777cdf2808cb
2021-08-09
Published
Exploited in the wild