Vulnerability Description
The Recently plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the fetch_external_image() function in versions up to, and including, 3.0.4. This makes it possible for authenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Recently Project | Recently | < 3.0.5 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2542693Release Notes
- https://wpscan.com/vulnerability/92c3f26a-1a84-459a-874b-07dc83c9f42aThird Party Advisory
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-recently-multiple-Third Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f8297149-2de3-4e49-80fThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2542693Release Notes
- https://wpscan.com/vulnerability/92c3f26a-1a84-459a-874b-07dc83c9f42aThird Party Advisory
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-recently-multiple-Third Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f8297149-2de3-4e49-80fThird Party Advisory
FAQ
What is CVE-2021-4382?
CVE-2021-4382 is a vulnerability with a CVSS score of 8.8 (HIGH). The Recently plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the fetch_external_image() function in versions up to, and including, 3.0.4. This makes...
How severe is CVE-2021-4382?
CVE-2021-4382 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-4382?
Check the references section above for vendor advisories and patch information. Affected products include: Recently Project Recently.