Business Hours Pro <= 5.5.0 – Unauthenticated Arbitrary File Upload to RCE | CVE 2021-24240

Description

The plugin allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability.

Note (WPScanTeam):
- The issue has been escalated to Envato on March 30th, 2021 and the plugin has been removed from the marketplace.
- The issue seems to be exploited since a few months by malicious actors, as some reviews/comments suggest (https://codecanyon.net/item/business-hours-pro-wordpress-plugin/reviews/9414879)

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

iva-business-hours-pro

No known fix

References

CVE

CVE-2021-24240

URL

https://codecanyon.net/item/business-hours-pro-wordpress-plugin/9414879

Miscellaneous

Original Researcher

Harald Eilertsen

Submitter

Harald Eilertsen

Submitter website

https://jetpack.com

Verified

Yes

WPVDB ID

10528cb2-12a1-43f7-9b7d-d75d18fdf5bb

Timeline

Publicly Published

2021-04-02 (about 4 years ago)

Added

2021-04-02 (about 4 years ago)

Last Updated

2021-04-04 (about 4 years ago)

Other

Published

Title

Published

2024-08-13

Title

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel < 3.1.2 - Authenticated (Contributor+) Arbitrary File Upload

Published

2017-02-28

Title

Mobile App Native <= 3.0 - Remote File Upload

Published

2024-08-02

Title

YayExtra – WooCommerce Extra Product Options < 1.3.8 - Unauthenticated Arbitrary File Upload via handle_upload_file Function

Published

2024-10-29

Title

FileOrganizer < 1.1.0 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2014-08-01

Title

EditorMonkey - (FCKeditor) Arbitrary File Upload