CVE-2021-24252

Name of the Vulnerable Software and Affected Versions Event Banner WordPress plugin versions prior to 1.4

Description The issue is related to the lack of verification for uploaded image files, allowing admin accounts to upload arbitrary files, such as .exe or .php, leading to remote code execution (RCE). The absence of a CSRF check also makes the issue exploitable via such a vector. Additionally, the lack of authorization checks could potentially allow for local file inclusion (LFI) attacks, although this would require WordPress to be loaded.

Recommendations For Event Banner WordPress plugin versions prior to 1.4, update to version 1.4 or later to resolve the issue. As a temporary workaround, consider disabling file upload functionality in the plugin until a patch is available. Restrict access to the plugin's upload feature to minimize the risk of exploitation.