Vulnerability Description
The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.
CVSS Score
7.2
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Servmask | One-Stop Wp Migration | < 7.41 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2516181#file8PatchThird Party Advisory
- https://wpscan.com/vulnerability/87c6052c-2628-4987-a9a3-a03b5ca1e083ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2516181#file8PatchThird Party Advisory
- https://wpscan.com/vulnerability/87c6052c-2628-4987-a9a3-a03b5ca1e083ExploitThird Party Advisory
FAQ
What is CVE-2021-24216?
CVE-2021-24216 is a vulnerability with a CVSS score of 7.2 (HIGH). The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.
How severe is CVE-2021-24216?
CVE-2021-24216 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24216?
Check the references section above for vendor advisories and patch information. Affected products include: Servmask One-Stop Wp Migration.