CVE-2021-24490

The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IIS

CVSS v3 6.8 MEDIUM
CVSS v2.0 6.0 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:P

Exploitability : 6.8 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://wpscan.com/vulnerability/4ea0127e-afef-41bf-a005-c57432f9f58c	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:email_artillery_project:email_artillery:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2021-09-13 18:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-24490

Mitre link : CVE-2021-24490

CVE.ORG link : CVE-2021-24490

JSON object : View

Products Affected

email_artillery_project

email_artillery

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2021-24490", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}]}, "published": "2021-09-13T18:15:14.353", "references": [{"url": "https://wpscan.com/vulnerability/4ea0127e-afef-41bf-a005-c57432f9f58c", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IIS"}, {"lang": "es", "value": "El plugin Email Artillery de WordPress (MASS EMAIL) versiones hasta 4.1 no comprueba apropiadamente los archivos subidos desde la funcionalidad Import Emails, permitiendo que sean subidos archivos arbitrarios. Adem\u00e1s, el plugin tambi\u00e9n carece de cualquier comprobaci\u00f3n de tipo CSRF, permitiendo que este problema sea explotado tambi\u00e9n por medio de un ataque de tipo CSRF. Sin embargo, debido a la presencia de un .htaccess, denegando el acceso a todo lo que se presenta en la carpeta a la que es subido el archivo, el archivo malicioso subido s\u00f3lo ser\u00e1 accesible en servidores web como Nginx/IIS"}], "lastModified": "2021-09-23T13:51:21.463", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:email_artillery_project:email_artillery:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "BFC5C644-ADFB-4EE1-9BC4-5341468E607A", "versionEndIncluding": "4.1"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}