CVE-2021-24493
CRITICALShopp WordPress Plugin < 1.4 - Unauthenticated Arbitrary File Upload via shopp_upload_file AJAX Action
Title source: llmDescription
The shopp_upload_file AJAX action of the Shopp WordPress plugin through 1.4, available to both unauthenticated and authenticated user does not have any security measure in place to prevent upload of malicious files, such as PHP, allowing unauthenticated users to upload arbitrary files and leading to RCE
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/dcc7be04-550b-427a-a14f-a2365d96a00e
Scores
CVSS v3
9.8
EPSS
0.0191
EPSS Percentile
77.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
ingenesis/shopp
< 1.4
Published
Sep 13, 2021
Tracked Since
Feb 18, 2026