CVE-2021-24254

The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be exploited via a CSRF attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
WPScanCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
college_publisher_import_projectcollege_publisher_import
𝑥
≤ 0.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/College%20Puglisher%20Import.md
https://wpscan.com/vulnerability/bb3e56dd-ae2e-45c2-a6c9-a59ae5fc1dc4
https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/College%20Puglisher%20Import.md
https://wpscan.com/vulnerability/bb3e56dd-ae2e-45c2-a6c9-a59ae5fc1dc4