CVE-2021-42362

HIGH

WordPress Popular Posts <= 5.3.2 - Authenticated Arbitrary File Upload in Image.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2021-42362. PoCs published by Simone Cristofaro, samiba6, simonecris, including Metasploit module exploits/multi/http/wp_popular_posts_rce.

AI-analyzed exploit summary This exploit leverages an authenticated RCE vulnerability in WordPress Popular Posts plugin <= 5.3.2 by uploading a malicious GIF file disguised as a PHP shell via custom fields. It requires contributor-level access and the GD PHP extension to be enabled.

Description

The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.

Exploits (4)

exploitdb WORKING POC
by Simone Cristofaro · pythonwebappsphp
https://www.exploit-db.com/exploits/50129

This exploit leverages an authenticated RCE vulnerability in WordPress Popular Posts plugin <= 5.3.2 by uploading a malicious GIF file disguised as a PHP shell via custom fields. It requires contributor-level access and the GD PHP extension to be enabled.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Popular Posts plugin <= 5.3.2
Auth required
Prerequisites: WordPress Popular Posts plugin <= 5.3.2 · Contributor role or higher · GD PHP extension enabled · Popular Posts widget active
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by samiba6 · poc
https://github.com/samiba6/CVE-2021-42362

This PoC exploits an arbitrary file upload vulnerability in the WordPress Popular Posts plugin (CVE-2021-42362) by uploading a malicious GIF file containing PHP code to achieve remote code execution. It authenticates as a contributor-level user, configures plugin settings to enable thumbnail generation, and uploads the payload via a third-party file hosting service.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Popular Posts plugin (version not specified)
Auth required
Prerequisites: Contributor-level WordPress credentials · GD PHP extension enabled on the server · WordPress Popular Posts plugin installed and activated
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by simonecris · poc
https://github.com/simonecris/CVE-2021-42362-PoC

This PoC exploits a case-insensitive file extension bypass in the SP Project & Document Manager WordPress plugin (CVE-2021-42362) to upload a malicious PHP file disguised as an image. It then leverages the WordPress Popular Posts plugin to execute the uploaded shell via thumbnail generation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SP Project & Document Manager WordPress plugin < 4.22
Auth required
Prerequisites: Valid WordPress credentials · WordPress Popular Posts plugin installed · PHP GD extension enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by h00die, Simone Cristofaro, Jerome Bruandet · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_popular_posts_rce.rb

This Metasploit module exploits an authenticated RCE vulnerability in WordPress Popular Posts plugin <= 5.3.2 by leveraging improper input validation to upload a malicious PHP payload disguised as a GIF image. The exploit chain involves reconfiguring plugin settings, creating a post, and triggering payload execution via the widget.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: WordPress Popular Posts plugin <= 5.3.2
Auth required
Prerequisites: Valid WordPress credentials · GD library enabled on the server · Metasploit server with FQDN and open port (80/443/8080)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References

Scores

CVSS v3 8.8
EPSS 0.8027
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
wordpress_popular_posts_project/wordpress_popular_posts < 5.3.2
Published Nov 17, 2021
Tracked Since Feb 18, 2026