Vulnerability Description
The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IIS
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Email Artillery Project | Email Artillery | <= 4.1 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/4ea0127e-afef-41bf-a005-c57432f9f58cExploitThird Party Advisory
- https://wpscan.com/vulnerability/4ea0127e-afef-41bf-a005-c57432f9f58cExploitThird Party Advisory
FAQ
What is CVE-2021-24490?
CVE-2021-24490 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugi...
How severe is CVE-2021-24490?
CVE-2021-24490 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24490?
Check the references section above for vendor advisories and patch information. Affected products include: Email Artillery Project Email Artillery.