CVE-2021-24620

Name of the Vulnerable Software and Affected Versions WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin versions 2.2.5 and earlier

Description The issue allows any file, such as PHP, to be uploaded by an administrator due to a lack of checks for uploaded Downloadable Digital product files. Additionally, the absence of CSRF protection enables attackers to make a logged-in admin upload a malicious PHP file, leading to remote code execution (RCE).

Recommendations For WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin versions 2.2.5 and earlier, update to a version later than 2.2.5 to resolve the issue. As a temporary workaround, consider restricting file uploads to only necessary file types and implementing CSRF protection to minimize the risk of exploitation.