CVE-2021-24212

CRITICAL EXPLOITED NUCLEI

Woocommerce Help Scout < 2.9.1 - Unrestricted File Upload

Title source: rule

Description

The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp.

Nuclei Templates (1)

WooCommerce Help Scout - Arbitrary File Upload

CRITICALby ritikchaddha

FOFA: body="/wp-content/plugins/woocommerce-help-scout"

References (2)

[Release Notes, Third Party Advisory] http://dzv365zjfbd8v.cloudfront.net/changelogs/woocommerce-help-scout/changelog.txt

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/cf9305e8-f5bc-45c3-82db-0ef00fd46129

Scores

CVSS v3 9.8

EPSS 0.7446

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-03-21

CWE

CWE-434

Status published

Products (1)

woocommerce/help_scout < 2.9.1

Published Apr 05, 2021

Tracked Since Feb 18, 2026