Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-25052

CWE-352 — Cross-Site Request Forgery (CSRF)4 documents4 sources

Severity

8.8HIGH

EPSS

42.4%

top 2.54%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Unknown Button Generator – Easily Button Builder Wow-company Button Generator

Timeline

PublishedJan 10

Latest updateJan 11

Description

The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDwow-company/button_generator< 2.3.3

▶CVEListV5unknown/button_generator_–_easily_button_builder2.3.3 — 2.3.3

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-qgxx-xcvx-3pp5: The Button Generator WordPress plugin before 2↗2022-01-11

▶

CVEList

Button Generator < 2.3.3 - RFI leading to RCE via CSRF↗2022-01-10

▶

💥Exploits & PoCs

Nuclei

WordPress Button Generator <2.3.3 - Remote File Inclusion

▶