The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IIS
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: WPScan
Published: 2021-09-13T17:56:16
Updated: 2024-08-03T19:35:19.462Z
Reserved: 2021-01-14T00:00:00
Link: CVE-2021-24490
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2021-09-13T18:15:14.353
Modified: 2021-09-23T13:51:21.463
Link: CVE-2021-24490
Redhat
No data.