Vulnerability Description
The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Simple-E-Commerce-Shopping-Cart Project | Simple-E-Commerce-Shopping-Cart | <= 2.2.5 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/1f2b3c4a-f7e9-4d22-b71e-f6b051fd8349ExploitThird Party Advisory
- https://wpscan.com/vulnerability/1f2b3c4a-f7e9-4d22-b71e-f6b051fd8349ExploitThird Party Advisory
FAQ
What is CVE-2021-24620?
CVE-2021-24620 is a vulnerability with a CVSS score of 8.8 (HIGH). The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP...
How severe is CVE-2021-24620?
CVE-2021-24620 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24620?
Check the references section above for vendor advisories and patch information. Affected products include: Simple-E-Commerce-Shopping-Cart Project Simple-E-Commerce-Shopping-Cart.