CVE-2021-24253

Name of the Vulnerable Software and Affected Versions Classyfrieds WordPress plugin versions prior to 3.8

Description The issue is related to unrestricted file uploads of dangerous types. Exploitation of this issue may allow a remote attacker to upload and execute arbitrary files. Specifically, the plugin does not properly check uploaded files when an authenticated user adds a listing, only verifying the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature, leading to remote code execution.

Recommendations For Classyfrieds WordPress plugin versions prior to 3.8, update to a version that properly checks and restricts file uploads to prevent arbitrary file execution. As a temporary workaround, consider disabling the file upload feature in the Add Listing section of the plugin until a secure update is available. Restrict access to the plugin's file upload functionality to minimize the risk of exploitation.