CVE-2021-24493
CRITICALIngenesis Shopp < 1.4 - Unrestricted File Upload
Title source: ruleDescription
The shopp_upload_file AJAX action of the Shopp WordPress plugin through 1.4, available to both unauthenticated and authenticated user does not have any security measure in place to prevent upload of malicious files, such as PHP, allowing unauthenticated users to upload arbitrary files and leading to RCE
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/dcc7be04-550b-427a-a14f-a2365d96a00e
Scores
CVSS v3
9.8
EPSS
0.0171
EPSS Percentile
82.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
ingenesis/shopp
< 1.4
Published
Sep 13, 2021
Tracked Since
Feb 18, 2026