CVE-2021-4455

CRITICAL

Wordpress Plugin Smart Product Review <= 1.0.4 - Unauthenticated Arbitrary File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-4455. PoCs published by Keyvan Hardani.

AI-analyzed exploit summary This exploit targets a file upload vulnerability in the WordPress Smart Product Review plugin (version <= 1.0.4). It bypasses file extension restrictions by manipulating the 'allowedExtensions' parameter to upload arbitrary files, including PHP shells.

Description

The Wordpress Plugin Smart Product Review plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (1)

exploitdb WORKING POC
by Keyvan Hardani · pythonwebappsphp
https://www.exploit-db.com/exploits/50533

This exploit targets a file upload vulnerability in the WordPress Smart Product Review plugin (version <= 1.0.4). It bypasses file extension restrictions by manipulating the 'allowedExtensions' parameter to upload arbitrary files, including PHP shells.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin Smart Product Review <= 1.0.4
No auth needed
Prerequisites: Target must have the vulnerable plugin installed · Target must be accessible via HTTP/HTTPS
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0064
EPSS Percentile 45.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
Codeflist/Wordpress Plugin Smart Product Review < 1.0.4
Published Apr 19, 2025
Tracked Since Feb 18, 2026