cbcvebase.
CVE-2021-24499
published 2021-08-09

CVE-2021-24499: The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
60.11%
99.0th percentile
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.

Affected

1 ranges
VendorProductVersion rangeFixed in
amentotechworkreap< 2.2.22.2.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/uploads/workreap-temp/
commandaction=workreap_award_temp_file_uploader
commandaction=workreap_temp_file_uploader
path/wp-content/themes/workreap/
sigma
POST /wp-admin/admin-ajax.php with action=workreap_award_temp_file_uploader and multipart upload of .php file
  • Monitor POST requests to /wp-admin/admin-ajax.php with the 'action' parameter set to 'workreap_award_temp_file_uploader' or 'workreap_temp_file_uploader', especially when the request is unauthenticated (no valid nonce or session cookie).
  • Alert on the creation of PHP files (*.php) under the /wp-content/uploads/workreap-temp/ directory, as this is the upload destination for exploited files.
  • Detect GET requests to /wp-content/uploads/workreap-temp/*.php, which indicate execution of an uploaded webshell.
  • Look for multipart/form-data POST requests to admin-ajax.php where the uploaded file has Content-Type: application/x-httpd-php, indicating a PHP webshell upload attempt.
  • A successful upload returns a JSON response containing '{"type":"success",' — monitor for this response pattern on admin-ajax.php POST requests from unauthenticated users.
  • Webshell commands are passed via the 'c' query parameter to the uploaded PHP file; detect GET requests matching /wp-content/uploads/workreap-temp/*.php?c=
  • ·The vulnerability affects Workreap WordPress theme versions before 2.2.2; version 2.2.2 and later include the fix. Ensure the theme version is confirmed before testing or deploying detections.
  • ·The exploit requires no authentication whatsoever — no session, no nonce — making it exploitable by any unauthenticated visitor. WAF rules should not assume authentication context.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.