CVE-2021-4436
published 2024-02-05CVE-2021-4436: The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
6.70%
93.1th percentile
The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wp3dprinting | 3dprint_lite | < 1.9.1.5 | 1.9.1.5 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress 3DPrint Lite Plugin Arbitrary File Upload Attempt - PHP webshell Payload (CVE-2021-4436)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?action=p3dlite_handle_upload"; endswith; fast_pattern; reference:cve,2021-4436; classtype:trojan-activity; sid:2050738; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2024_02_06, cve CVE_2021_4436, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_02_06; target:dest_ip;)
- →Exploit requests use HTTP POST method targeting the AJAX action endpoint ?action=p3dlite_handle_upload with no authentication required
- →Successful exploitation response body contains JSON-RPC 2.0 fields including 'filename' and the uploaded PHP filename, confirming arbitrary PHP file upload
- →The vulnerability is in the p3dlite_handle_upload AJAX action of the 3DPrint Lite WordPress plugin; unauthenticated users can upload arbitrary files. Apache servers are partially protected by a .htaccess file, but other web servers (e.g., Nginx) may allow direct access to uploaded files
- ·The Snort/ET rule requires SSL decryption to be effective against HTTPS traffic, as indicated by the deployment metadata
- ·Apache-based deployments have partial mitigation via a .htaccess file that prevents direct web access to uploaded files; however, the file upload itself still succeeds and the .htaccess protection does not apply to all web servers
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v78v-jm8m-vmmw: The 3DPrint Lite WordPress plugin before 1
ghsa_unreviewed·2024-02-05
CVE-2021-4436 [CRITICAL] CWE-434 GHSA-v78v-jm8m-vmmw: The 3DPrint Lite WordPress plugin before 1
The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
VulnCheck
wp3dprinting 3dprint_lite Unrestricted Upload of File with Dangerous Type
vulncheck·2021·CVSS 9.8
CVE-2021-4436 [CRITICAL] wp3dprinting 3dprint_lite Unrestricted Upload of File with Dangerous Type
wp3dprinting 3dprint_lite Unrestricted Upload of File with Dangerous Type
The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
Affected: wp3dprinting 3dprint_lite
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://thedfirreport.com/wp-content/uploads/2024/03/WordPress-Plugin-Exploit-Leads-to-Godzilla-Web-Shell-Discovery-New-CVE.pdf.pdf; h
Suricata
ET WEB_SPECIFIC_APPS Wordpress 3DPrint Lite Plugin Arbitrary File Upload Attempt - PHP webshell Payload (CVE-2021-4436)
suricata·2024-02-06·CVSS 9.8
CVE-2021-4436 [CRITICAL] ET WEB_SPECIFIC_APPS Wordpress 3DPrint Lite Plugin Arbitrary File Upload Attempt - PHP webshell Payload (CVE-2021-4436)
ET WEB_SPECIFIC_APPS Wordpress 3DPrint Lite Plugin Arbitrary File Upload Attempt - PHP webshell Payload (CVE-2021-4436)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress 3DPrint Lite Plugin Arbitrary File Upload Attempt - PHP webshell Payload (CVE-2021-4436)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?action=p3dlite_handle_upload"; endswith; fast_pattern; reference:cve,2021-4436; classtype:trojan-activity; sid:2050738; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2024_02_06, cve CVE_2021_4436, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_02_06; target:dest_ip;)
Nuclei
3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2021-4436 [CRITICAL] 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
3DPrint Lite
-----------------------------54331109111293931601238262353--
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"jsonrpc":"2.0"'
- '"filename":'
- "{{filename}}.php"
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100bf11167d522472ee24494d3d3df124872fb6a395e845e3dfc0555b54988fad86022100a8bc9de94216de89ed71ab75fcaf470506b31fd34988dc28095fd5c76088a2d3:922c64590222798bb761d5b6d8e72950
2024-02-05
Published
Exploited in the wild