← Back to CVEs

CVE-2021-24222

CRITICAL

9.8

Description

The WP-Curriculo Vitae Free WordPress plugin through 6.3 suffers from an arbitrary file upload issue in page where the [formCadastro] is embed. The form allows unauthenticated user to register and submit files for their profile picture as well as resume, without any file extension restriction, leading to RCE.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published4/12/2021

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

williamluis:wp-curriculo_vitae_free

Weaknesses (CWE)

CWE-434

References

https://github.com/jinhuang1102/CVE-ID-Reports/blob/145fc4e34c9b9799275c8e19d6b02f544c88126b/WP_Curriculo_Free.md(contact@wpscan.com)

https://wpscan.com/vulnerability/4d715de6-8595-4da9-808a-04a28e409900(contact@wpscan.com)

https://github.com/jinhuang1102/CVE-ID-Reports/blob/145fc4e34c9b9799275c8e19d6b02f544c88126b/WP_Curriculo_Free.md(af854a3a-2127-422b-91ae-364da2661108)

https://wpscan.com/vulnerability/4d715de6-8595-4da9-808a-04a28e409900(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.