CVE-2021-25052

HIGH NUCLEI

Button Generator <2.3.3 - CSRF RCE

Title source: llm

Description

The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

Nuclei Templates (1)

WordPress Button Generator <2.3.3 - Remote File Inclusion

HIGHby cckuailong

References (2)

[Patch, Third Party Advisory] https://plugins.trac.wordpress.org/changeset/2641639/button-generation

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/a01844a0-0c43-4d96-b738-57fe5bfbd67a

Scores

CVSS v3 8.8

EPSS 0.4241

EPSS Percentile 97.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (1)

wow-company/button_generator < 2.3.3

Published Jan 10, 2022

Tracked Since Feb 18, 2026