cbcvebase.
CVE-2021-24916
published 2023-08-07

CVE-2021-24916: The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.

PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
1.54%
71.7th percentile
The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.

Affected

1 ranges
VendorProductVersion rangeFixed in
themeumqubely< 1.8.61.8.6

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/qubely/readme.txt
commandaction=qubely_send_form_data&[email protected]&email-subject=CVE-2021-24916+Test&email-body=test&field-error-message=err&form-success-message=qubely49fc16d8&form-error-message=qubely49fc16d8&qubely-form-input[name]=test&security={{nonce}}
otherqubely_send_form_data
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the body parameter 'action=qubely_send_form_data' — no authentication is required, making any such request suspicious.
  • Look for the string 'qubely_urls' and '"nonce"' co-occurring in page body, which the exploit template uses to fingerprint vulnerable targets before launching the attack.
  • A successful exploitation response contains both '"success":true' and the attacker-controlled canary string (e.g. 'qubely49fc16d8') in the response body.
  • Use the FOFA/PublicWWW fingerprint queries to identify internet-exposed instances: search for body containing 'qubely_urls' or path '/wp-content/plugins/qubely/'.
  • Version check: fetch /wp-content/plugins/qubely/readme.txt and extract 'Stable tag:' — any version below 1.8.6 is vulnerable.
  • ·The exploit requires a valid WordPress nonce extracted from the front page; the nonce is scoped to the session but no authentication is needed to obtain it, making the attack fully unauthenticated.
  • ·The vulnerability is described as 'insecure deserialization' in the WPScan template description, but the actual attack surface is unauthenticated arbitrary email sending via the AJAX action — not a classic deserialization RCE.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.