CVE-2021-24223
Last modified
CVE-2021-24223 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5(uniqid(rand())), however, in the case of misconfigured servers with Directory listing enabled, accessing it is trivial.. EPSS estimates a 2.21% chance of exploitation in the next 30 days.
Description
The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5(uniqid(rand())), however, in the case of misconfigured servers with Directory listing enabled, accessing it is trivial.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| N5 Upload Form Project | N5 Upload Form | <= 1.0 |
References
- https://github.com/jinhuang1102/CVE-ID-Reports/blob/12863f80ced5361e2e2c3f7209566ab3730aa37b/N5_upload.mdExploit, Third Party Advisory
- https://wpscan.com/vulnerability/d7a72183-0cd1-45de-b98b-2e295b27e5dbExploit, Third Party Advisory
- https://github.com/jinhuang1102/CVE-ID-Reports/blob/12863f80ced5361e2e2c3f7209566ab3730aa37b/N5_upload.mdExploit, Third Party Advisory
- https://wpscan.com/vulnerability/d7a72183-0cd1-45de-b98b-2e295b27e5dbExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-24223?
How severe is CVE-2021-24223?
How do I fix CVE-2021-24223?
Are you affected by CVE-2021-24223?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST