CVE-2021-24916
published 2023-08-07CVE-2021-24916: The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.
PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
1.54%
71.7th percentile
The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themeum | qubely | < 1.8.6 | 1.8.6 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php
path/wp-content/plugins/qubely/readme.txt
commandaction=qubely_send_form_data&[email protected]&email-subject=CVE-2021-24916+Test&email-body=test&field-error-message=err&form-success-message=qubely49fc16d8&form-error-message=qubely49fc16d8&qubely-form-input[name]=test&security={{nonce}}
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the body parameter 'action=qubely_send_form_data' — no authentication is required, making any such request suspicious.
- →Look for the string 'qubely_urls' and '"nonce"' co-occurring in page body, which the exploit template uses to fingerprint vulnerable targets before launching the attack.
- →A successful exploitation response contains both '"success":true' and the attacker-controlled canary string (e.g. 'qubely49fc16d8') in the response body.
- →Use the FOFA/PublicWWW fingerprint queries to identify internet-exposed instances: search for body containing 'qubely_urls' or path '/wp-content/plugins/qubely/'.
- →Version check: fetch /wp-content/plugins/qubely/readme.txt and extract 'Stable tag:' — any version below 1.8.6 is vulnerable.
- ·The exploit requires a valid WordPress nonce extracted from the front page; the nonce is scoped to the session but no authentication is needed to obtain it, making the attack fully unauthenticated.
- ·The vulnerability is described as 'insecure deserialization' in the WPScan template description, but the actual attack surface is unauthenticated arbitrary email sending via the AJAX action — not a classic deserialization RCE.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Qubely < 1.8.6 - Unauthenticated Email Sending
nuclei·CVSS 7.5
CVE-2021-24916 [HIGH] WordPress Qubely < 1.8.6 - Unauthenticated Email Sending
WordPress Qubely < 1.8.6 - Unauthenticated Email Sending
Qubely WordPress plugin < 1.8.6 contains an insecure deserialization caused by unauthenticated users being able to send arbitrary emails via the qubely_send_form_data AJAX action, letting attackers send spam or malicious emails, exploit requires no authentication.
Template:
id: CVE-2021-24916
info:
name: WordPress Qubely < 1.8.6 - Unauthenticated Email Sending
author: roberto
severity: high
description: |
Qubely WordPress plugin < 1.8.6 contains an insecure deserialization caused by unauthenticated users being able to send arbitrary emails via the qubely_send_form_data AJAX action, letting attackers send spam or malicious emails, exploit requires no authentication.
impact: |
Attackers can send spam or malicious emails from the se
No writeups or analysis indexed.
2023-08-07
Published