CVE-2021-39352

HIGH

Wordpress Plugin Catch Themes Demo Import RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-39352. PoCs published by Ron Jost, h00die, Ron Jost, Thinkland Security Team, including Metasploit module exploits/multi/http/wp_catch_themes_demo_import.

AI-analyzed exploit summary This exploit targets a file upload vulnerability in the WordPress Catch Themes Demo Import plugin (CVE-2021-39352), allowing authenticated attackers to upload a malicious PHP shell for remote code execution. The PoC includes authentication, nonce extraction, and a multipart form upload of a p0wny shell.

Description

The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.

Exploits (2)

exploitdb WORKING POC
by Ron Jost · pythonwebappsphp
https://www.exploit-db.com/exploits/50580

This exploit targets a file upload vulnerability in the WordPress Catch Themes Demo Import plugin (CVE-2021-39352), allowing authenticated attackers to upload a malicious PHP shell for remote code execution. The PoC includes authentication, nonce extraction, and a multipart form upload of a p0wny shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Plugin Catch Themes Demo Import <= 1.6.1
Auth required
Prerequisites: WordPress admin credentials · Plugin version <= 1.6.1 · Network access to WordPress admin panel
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by h00die, Ron Jost, Thinkland Security Team · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_catch_themes_demo_import.rb

This Metasploit module exploits an authenticated arbitrary file upload vulnerability in the WordPress plugin Catch Themes Demo Import (versions < 1.8). It uploads a malicious PHP payload via the import functionality and triggers it to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Plugin Catch Themes Demo Import < 1.8
Auth required
Prerequisites: Valid WordPress credentials · Catch Themes Demo Import plugin version < 1.8
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/50580

Scores

CVSS v3 7.2
EPSS 0.5665
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
catchplugins/catch_themes_demo_import < 1.7
Published Oct 21, 2021
Tracked Since Feb 18, 2026