CVE-2021-24490

Name of the Vulnerable Software and Affected Versions The Email Artillery (MASS EMAIL) WordPress plugin versions 4.1 and earlier

Description The issue allows arbitrary files to be uploaded due to improper checking of uploaded files from the Import Emails feature. Additionally, the plugin lacks a CSRF check, making it exploitable via a CSRF attack. However, the presence of a .htaccess file, which denies access to everything in the folder where the file is uploaded, limits the accessibility of the malicious uploaded file to web servers like Nginx/IIS.

Recommendations For The Email Artillery (MASS EMAIL) WordPress plugin versions 4.1 and earlier: As a temporary workaround, consider disabling the Import Emails feature until a patch is available. Restrict access to the folder where files are uploaded to minimize the risk of exploitation. Avoid using the plugin on web servers such as Nginx/IIS until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.