CVE-2021-24663

HIGH

Simple Schools Staff Directory < 1.1 - Authenticated Arbitrary File Upload via Logo Picture

Title source: llm

Description

The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://wpscan.com/vulnerability/8b5b5b57-50c5-4cd8-9171-168c3e9df46a

Scores

CVSS v3 7.2

EPSS 0.0144

EPSS Percentile 69.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

simple_schools_staff_directory_project/simple_schools_staff_directory < 1.1

Published Sep 20, 2021

Tracked Since Feb 18, 2026