Business Hours Pro <= 5.5.0 – Unauthenticated Arbitrary File Upload to RCE | CVE 2021-24240

Description

The plugin allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability.

Note (WPScanTeam):
- The issue has been escalated to Envato on March 30th, 2021 and the plugin has been removed from the marketplace.
- The issue seems to be exploited since a few months by malicious actors, as some reviews/comments suggest (https://codecanyon.net/item/business-hours-pro-wordpress-plugin/reviews/9414879)

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

iva-business-hours-pro

No known fix

References

CVE

CVE-2021-24240

URL

https://codecanyon.net/item/business-hours-pro-wordpress-plugin/9414879

Miscellaneous

Original Researcher

Harald Eilertsen

Submitter

Harald Eilertsen

Submitter website

https://jetpack.com

Verified

Yes

WPVDB ID

10528cb2-12a1-43f7-9b7d-d75d18fdf5bb

Timeline

Publicly Published

2021-04-02 (about 3 years ago)

Added

2021-04-02 (about 3 years ago)

Last Updated

2021-04-04 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

Pica Photo Gallery - Arbitrary File Upload

Published

2016-06-13

Title

Remote Upload <= 1.2.1 - Unrestricted File Upload

Published

2020-01-14

Title

Elementor < 2.7.5 - Authenticated Arbitrary File Upload

Published

2021-08-16

Title

Email Artillery <= 4.1 - Arbitrary File Upload

Published

2014-08-01

Title

wp-3dflick-slideshow - Arbitrary File Upload