CVE-2021-25052

CVE-2021-25052: Button Generator < 2.3.3 - RFI leading to RCE via CSRF

Vendor Unknown
Product Button Generator – easily Button Builder
Weakness CWE-352 · CSRF
Published January 10, 2022
Last update August 3, 2024
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

Key dates

02Disclosure timeline

January 10, 2022 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-28860 WordPress Google News Editors Picks Feed Generator plugin <= 2.1 - CSRF to Stored XSS vulnerability CVE-2025-28863 WordPress Delete Original Image plugin <= 0.4 - Cross Site Request Forgery (CSRF) vulnerability CVE-2023-46629 WordPress Remove Add to Cart WooCommerce Plugin <= 1.4.4 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2025-14906 WP Youtube Video Gallery <= 1.0 - Cross-Site Request Forgery to Plugin Settings Update CVE-2024-7459 OSWAPP Warehouse Inventory System edit_account.php cross-site request forgery