PT-2022-9673 · WordPress · Afi Wordpress Plugin

Chuang Li

Published

2022-05-16

Updated

2022-05-25

CVE-2021-25119

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions AGIL WordPress plugin versions 1.0 and earlier

Description The issue allows high-privilege users, such as admins, to upload arbitrary files, including PHP files, by accepting all zip files without validating the extracted file type, leading to remote code execution (RCE).

Recommendations For AGIL WordPress plugin versions 1.0 and earlier, update to a version that includes a fix for this issue to prevent the upload of arbitrary files. As a temporary workaround, consider restricting the upload of zip files or implementing additional validation for extracted file types to minimize the risk of exploitation.

Exploit

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2021-25119

Affected Products

Afi Wordpress Plugin

PT-2022-9673 · WordPress · Afi Wordpress Plugin

CVE-2021-25119

Weakness Enumeration

Related Identifiers

Affected Products

References · 4