CVE-2021-24376 - OpenCVE

The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the "Import Settings" functionality to achieve Remote Code Execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Autoptimize	Autoptimize

Configuration 1 [-]

cpe:2.3:a:autoptimize:autoptimize:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/93edcc23-894a-46c2-84d2-407dcb64ba1e

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2021-06-21T19:18:22

Updated: 2024-08-03T19:28:23.812Z

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-24376

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-21T20:15:09.050

Modified: 2021-09-20T17:10:42.047

Link: CVE-2021-24376

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Autoptimize", "vendor": "Unknown", "versions": [{"lessThan": "2.7.8", "status": "affected", "version": "2.7.8", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Marcin W\u0119g\u0142owski"}], "descriptions": [{"lang": "en", "value": "The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the \"Import Settings\" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the \"Import Settings\" functionality to achieve Remote Code Execution."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-21T19:18:22", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wpscan.com/vulnerability/93edcc23-894a-46c2-84d2-407dcb64ba1e"}], "source": {"discovery": "UNKNOWN"}, "title": "Autoptimize < 2.7.8 - Arbitrary File Upload via \"Import Settings\"", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2021-24376", "STATE": "PUBLIC", "TITLE": "Autoptimize < 2.7.8 - Arbitrary File Upload via \"Import Settings\""}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Autoptimize", "version": {"version_data": [{"version_affected": "<", "version_name": "2.7.8", "version_value": "2.7.8"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Marcin W\u0119g\u0142owski"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the \"Import Settings\" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the \"Import Settings\" functionality to achieve Remote Code Execution."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/93edcc23-894a-46c2-84d2-407dcb64ba1e", "refsource": "CONFIRM", "url": "https://wpscan.com/vulnerability/93edcc23-894a-46c2-84d2-407dcb64ba1e"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:28:23.812Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wpscan.com/vulnerability/93edcc23-894a-46c2-84d2-407dcb64ba1e"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2021-24376", "datePublished": "2021-06-21T19:18:22", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2024-08-03T19:28:23.812Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:autoptimize:autoptimize:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "53E96CFF-8CD3-4AD1-BA84-4739E8F83A2F", "versionEndExcluding": "2.7.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the \"Import Settings\" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the \"Import Settings\" functionality to achieve Remote Code Execution."}, {"lang": "es", "value": "El plugin Autoptimize de WordPress versiones anteriores a 2.7.8, intenta eliminar los archivos maliciosos (como los .php) del archivo subido por medio de la funcionalidad \"Import Settings\", despu\u00e9s de su extracci\u00f3n. Sin embargo, las carpetas extra\u00eddas no era comprobadas y es posible subir un zip que contenga un directorio con un archivo PHP en \u00e9l y que luego no se elimine del disco. Se trata de una omisi\u00f3n del CVE-2020-24948 que permite enviar un archivo PHP por medio de la funcionalidad \"Import Settings\" para lograr una ejecuci\u00f3n de c\u00f3digo remota"}], "id": "CVE-2021-24376", "lastModified": "2021-09-20T17:10:42.047", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-21T20:15:09.050", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/93edcc23-894a-46c2-84d2-407dcb64ba1e"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "contact@wpscan.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Secondary"}]}