CVE-2021-33352

CRITICAL

Wyomind Help Desk Magento 2 <1.3.7 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-33352. PoCs published by Patrik Lantz.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Wyomind Help Desk for Magento 2, which can be leveraged to enable file uploads with dangerous extensions (e.g., 'phar') and directory traversal to achieve remote code execution (RCE). The PoC includes a detailed payload to modify backend configurations via XSS.

Description

An issue in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via a phar file upload in the ticket message field.

Exploits (1)

exploitdb WORKING POC
by Patrik Lantz · textwebappsmultiple
https://www.exploit-db.com/exploits/50113

This exploit demonstrates a stored XSS vulnerability in Wyomind Help Desk for Magento 2, which can be leveraged to enable file uploads with dangerous extensions (e.g., 'phar') and directory traversal to achieve remote code execution (RCE). The PoC includes a detailed payload to modify backend configurations via XSS.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wyomind Help Desk for Magento 2 <= 1.3.6
No auth needed
Prerequisites: Access to the frontend ticket submission form · Administrator interaction to trigger the XSS payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry
https://www.exploit-db.com/exploits/50113

Scores

CVSS v3 9.8
EPSS 0.0136
EPSS Percentile 68.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
wyomind/help_desk < 1.3.7
Published Mar 08, 2023
Tracked Since Feb 18, 2026