PT-2021-16058 · WordPress · Similar Posts

Anton Sarsadskikh

Published

2021-11-08

Updated

2022-07-28

CVE-2021-24537

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Similar Posts WordPress plugin versions 3.1.5 and earlier

Description The issue allows high privilege users to execute arbitrary PHP code in a hardened environment, where DISALLOW FILE EDIT, DISALLOW FILE MODS, and DISALLOW UNFILTERED HTML are set to true. This is achieved via the widget rrm similar posts condition widget setting of the plugin.

Recommendations For versions 3.1.5 and earlier, consider disabling the widget rrm similar posts condition widget setting to prevent exploitation until a patch is available. Restrict access to the plugin's settings for high privilege users to minimize the risk of arbitrary PHP code execution.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2021-24537

PT-2021-16058 · WordPress · Similar Posts

CVE-2021-24537

Weakness Enumeration

Related Identifiers

Affected Products

References · 5