Imagements <= 1.2.5 - Unauthenticated Arbitrary File Upload to RCE

The Imagements WordPress plugin, versions <= 1.2.5, allowed images to be uploaded in comments, however, only checked for the Content-Type HTTP header for validation, which can be tampered with. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type header along with a PHP file, leading to Remote Code Execution (RCE). At the time of writing, the plugin had not been updated in over 8 years, and has been removed from the official WordPress repository. This vulnerability has been given CVE number CVE-2021-24236. As there plugin hasn’t been updated in 8 years and is no longer on the WordPress repository, it is highly recommended that it be removed as soon as possible and an alternative be found.