CVE-2021-42362
Summary
| CVE | CVE-2021-42362 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-11-17 18:15:00 UTC |
| Updated | 2023-11-22 00:15:00 UTC |
| Description | The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2. |
Risk And Classification
Problem Types: CWE-434
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Wordpress Popular Posts Project | Wordpress Popular Posts | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Improper input validation fixed in WordPress Popular Posts plugin. – NinTechNet | MISC | blog.nintechnet.com | |
| Vulnerability Advisories - Wordfence | MISC | www.wordfence.com | |
| Image: verifies that URLs are images · cabrerahector/wordpress-popular-posts@d9b274c · GitHub | github.com | ||
| 403 Forbidden | MISC | plugins.trac.wordpress.org | |
| Attention Required! | Cloudflare | MISC | wpscan.com | |
| WordPress Popular Posts 5.3.2 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Original Researcher: Jerome Bruandet, NinTechNet Exploit Author: Simone Cristofaro
There are currently no legacy QID mappings associated with this CVE.