CVE-2021-24499

CRITICAL EXPLOITED IN THE WILD NUCLEI

Workreap < 2.2.2 - Unauthenticated Arbitrary File Upload via AJAX Temp File Uploader

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-24499 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Mohammad Hossein Khanaki, j4k0m, jayhutajulu1. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an unauthenticated file upload vulnerability in WordPress Theme Workreap 2.2.2 to achieve remote code execution. It uploads a malicious PHP file via the 'workreap_award_temp_file_uploader' action and executes arbitrary commands.

Description

The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.

Exploits (6)

exploitdb WORKING POC
by Mohammad Hossein Khanaki · pythonwebappsphp
https://www.exploit-db.com/exploits/51510

This exploit leverages an unauthenticated file upload vulnerability in WordPress Theme Workreap 2.2.2 to achieve remote code execution. It uploads a malicious PHP file via the 'workreap_award_temp_file_uploader' action and executes arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Theme Workreap 2.2.2
No auth needed
Prerequisites: Target must be running WordPress with the vulnerable Workreap theme (version 2.2.2) · Network access to the target's /wp-admin/admin-ajax.php endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 16 stars
by j4k0m · poc
https://github.com/j4k0m/CVE-2021-24499

This repository contains a functional exploit for CVE-2021-24499, which allows unauthenticated file upload leading to remote code execution in the Workreap WordPress theme. The exploit leverages two AJAX actions that lack nonce checks to upload a malicious PHP shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Workreap WordPress theme
No auth needed
Prerequisites: Target running vulnerable Workreap theme · Access to wp-admin/admin-ajax.php endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by jayhutajulu1 · remote
https://github.com/jayhutajulu1/CVE-2021-24499

This repository contains a functional exploit for CVE-2021-24499, an unauthenticated arbitrary file upload vulnerability in the Workreap WordPress theme. The exploit leverages the `workreap_award_temp_file_uploader` AJAX action to upload a PHP shell, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Workreap WordPress Theme < 2.2.2
No auth needed
Prerequisites: curl · PHP shell file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by jytmX · remote
https://github.com/jytmX/CVE-2021-24499

This repository contains a functional exploit for CVE-2021-24499, an unauthenticated file upload vulnerability in the Workreap WordPress theme. The exploit leverages the `workreap_award_temp_file_uploader` AJAX action to upload a malicious PHP file (`abe.php`) to the target server, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Workreap WordPress theme (unspecified version)
No auth needed
Prerequisites: Target must be running the vulnerable Workreap theme · Target must have the `wp-admin/admin-ajax.php` endpoint accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by hh-hunter · poc
https://github.com/hh-hunter/cve-2021-24499

This repository provides a functional exploit PoC for CVE-2021-24499, a vulnerability in the Akismet plugin for WordPress. It includes Docker configurations to set up both vulnerable and patched environments, allowing researchers to test the exploit in a controlled setting.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: WordPress Akismet plugin
No auth needed
Prerequisites: Docker environment · WordPress installation with Akismet plugin
devstral-2 · analyzed Feb 18, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/ryouyoo/cve-2021-24499

The repository contains a functional exploit for CVE-2021-24499, targeting an unauthenticated file upload vulnerability in the Workreap WordPress theme. The exploit uploads a malicious PHP shell via the `workreap_award_temp_file_uploader` AJAX action, leading to remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Workreap WordPress theme
No auth needed
Prerequisites: target running vulnerable Workreap theme · access to `/wp-admin/admin-ajax.php`
devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

WordPress Workreap - Remote Code Execution
CRITICALby daffainfo

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9387
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-12-21
InTheWild.io 2021-12-21
CWE
CWE-434
Status published
Products (1)
amentotech/workreap < 2.2.2
Published Aug 09, 2021
Tracked Since Feb 18, 2026