CVE-2021-24472

CRITICAL NUCLEI

Qantumthemes Kentharadio < 2.0.2 - SSRF

Title source: rule

Description

The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.

Nuclei Templates (1)

Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Remote File Inclusion/Server-Side Request Forgery

CRITICALVERIFIEDby Suman_Kar

Shodan: http.html:/wp-content/plugins/qt-kentharadio

FOFA: body=/wp-content/plugins/qt-kentharadio

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/17591ac5-88fa-4cae-a61a-4dcf5dc0b72a

Scores

CVSS v3 9.8

EPSS 0.8982

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-918

Status published

Products (2)

qantumthemes/kentharadio < 2.0.2

qantumthemes/onair2 < 3.9.9.2

Published Aug 02, 2021

Tracked Since Feb 18, 2026