cbcvebase.
CVE-2021-4436
published 2024-02-05

CVE-2021-4436: The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
6.70%
93.1th percentile
The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.

Affected

1 ranges
VendorProductVersion rangeFixed in
wp3dprinting3dprint_lite< 1.9.1.51.9.1.5

Detection & IOCsextracted from sources · hover to see the quote

url?action=p3dlite_handle_upload
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress 3DPrint Lite Plugin Arbitrary File Upload Attempt - PHP webshell Payload (CVE-2021-4436)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?action=p3dlite_handle_upload"; endswith; fast_pattern; reference:cve,2021-4436; classtype:trojan-activity; sid:2050738; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2024_02_06, cve CVE_2021_4436, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_02_06; target:dest_ip;)
  • Exploit requests use HTTP POST method targeting the AJAX action endpoint ?action=p3dlite_handle_upload with no authentication required
  • Successful exploitation response body contains JSON-RPC 2.0 fields including 'filename' and the uploaded PHP filename, confirming arbitrary PHP file upload
  • The vulnerability is in the p3dlite_handle_upload AJAX action of the 3DPrint Lite WordPress plugin; unauthenticated users can upload arbitrary files. Apache servers are partially protected by a .htaccess file, but other web servers (e.g., Nginx) may allow direct access to uploaded files
  • ·The Snort/ET rule requires SSL decryption to be effective against HTTPS traffic, as indicated by the deployment metadata
  • ·Apache-based deployments have partial mitigation via a .htaccess file that prevents direct web access to uploaded files; however, the file upload itself still succeeds and the .htaccess protection does not apply to all web servers

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.