Vulnerability Description
The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be exploited via a CSRF attack.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| College Publisher Import Project | College Publisher Import | <= 0.1 |
Related Weaknesses (CWE)
References
- https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/College%20Puglisher%2ExploitThird Party Advisory
- https://wpscan.com/vulnerability/bb3e56dd-ae2e-45c2-a6c9-a59ae5fc1dc4ExploitThird Party Advisory
- https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/College%20Puglisher%2ExploitThird Party Advisory
- https://wpscan.com/vulnerability/bb3e56dd-ae2e-45c2-a6c9-a59ae5fc1dc4ExploitThird Party Advisory
FAQ
What is CVE-2021-24254?
CVE-2021-24254 is a vulnerability with a CVSS score of 7.2 (HIGH). The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due ...
How severe is CVE-2021-24254?
CVE-2021-24254 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24254?
Check the references section above for vendor advisories and patch information. Affected products include: College Publisher Import Project College Publisher Import.