WordPress Plugin Vulnerabilities

Similar Posts < 3.1.6 - Admin+ Arbitrary PHP Code Execution

Description

The plugin allow high privilege users to execute arbitrary PHP code in an hardened environment (ie with DISALLOW_FILE_EDIT, DISALLOW_FILE_MODS and DISALLOW_UNFILTERED_HTML set to true) via the 'widget_rrm_similar_posts_condition' widget setting of the plugin.

Vendor was notified in July 2021, the issue was then escalated to the WP plugins team in August and October due to their unresponsiveness.

Proof of Concept

Affects Plugins

Plugin icon
similar-posts
Fixed in 3.1.6

References

CVE
CVE-2021-24537

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
bl4derunner
Submitter
Anton Sarsadskikh
Verified
Yes
WPVDB ID
0d6b46cb-5244-486f-ad70-4023907ac9eb

Timeline

Publicly Published
2021-10-11 (about 4 years ago)
Added
2021-10-11 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2020-04-19
Title
Media Library Assistant < 2.82 - Authenticated RCE
Published
2024-05-14
Title
Insert or Embed Articulate Content into WordPress < 4.3000000025 - Author+ Upload to RCE
Published
2022-05-18
Title
WP SVG Icons <= 3.2.3 - Admin+ Remote Code Execution (RCE)
Published
2024-07-29
Title
GEO my WordPress < 4.5.0.2 - Unauthenticated LFI to RCE/PHAR Deserialization
Published
2024-05-03
Title
WordPress Meta Data and Taxonomies Filter (MDTF) < 1.3.3.3 - Unauthenticated Arbitrary Shortcode Execution