CVE-2021-24236

CRITICAL NUCLEI

Imagements < 1.2.5 - Unrestricted File Upload

Title source: rule

Description

The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type along with a PHP filename and code, leading to RCE.

Nuclei Templates (1)

WordPress Imagements <=1.2.5 - Arbitrary File Upload

CRITICALby pussycat0x

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea

Scores

CVSS v3 9.8

EPSS 0.7413

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

imagements_project/imagements < 1.2.5

Published May 06, 2021

Tracked Since Feb 18, 2026