Vulnerabilities > CVE-2021-24253 - Unspecified vulnerability in Classyfrieds Project Classyfrieds

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

classyfrieds-project

NVD

Published: 2021-05-06

Updated: 2024-11-21

Summary

The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE.

Vulnerable Configurations

Part	Description	Count
Application	Classyfrieds_Project Classyfrieds Project Classyfrieds - Classyfrieds Project Classyfrieds 3.3 Classyfrieds Project Classyfrieds 3.5 Classyfrieds Project Classyfrieds 3.6 Classyfrieds Project Classyfrieds 3.7 Classyfrieds Project Classyfrieds 3.8	6

References

https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md
https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/classyfrieds.md
https://wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079
https://wpscan.com/vulnerability/ee42c233-0ff6-4b27-a5ec-ad3246bef079