CVE-2021-24253

CVE-2021-24253: Classyfrieds <= 3.8 - Authenticated Arbitrary File Upload to RCE

Vendor Unknown
Product Classyfrieds
Weakness CWE-434 · Unrestricted file upload
Published May 5, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE.

Key dates

02Disclosure timeline

May 5, 2021 CVE published
August 3, 2024 Record updated