WordPress Plugin Vulnerabilities

Business Hours Pro <= 5.5.0 - Unauthenticated Arbitrary File Upload to RCE

Description

The plugin allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability.

Note (WPScanTeam):
- The issue has been escalated to Envato on March 30th, 2021 and the plugin has been removed from the marketplace.
- The issue seems to be exploited since a few months by malicious actors, as some reviews/comments suggest (https://codecanyon.net/item/business-hours-pro-wordpress-plugin/reviews/9414879)

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

Plugin icon
iva-business-hours-pro
No known fix

References

CVE
CVE-2021-24240
URL
https://codecanyon.net/item/business-hours-pro-wordpress-plugin/9414879

Miscellaneous

Original Researcher
Harald Eilertsen
Submitter
Harald Eilertsen
Submitter website
https://jetpack.com
Verified
Yes
WPVDB ID
10528cb2-12a1-43f7-9b7d-d75d18fdf5bb

Timeline

Publicly Published
2021-04-02 (about 2 years ago)
Added
2021-04-02 (about 2 years ago)
Last Updated
2021-04-04 (about 2 years ago)

Other

Published
Title
Published
2021-09-23
Title
3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload
Published
2019-05-02
Title
User Submitted Posts <= 20190426 - Arbitrary File Upload
Published
2021-09-13
Title
Download from files <= 1.48 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
CAC Featured Content 0.8 - Shell Upload
Published
2021-08-23
Title
Simple School Staff Directory <= 1.1 - Admin+ Arbitrary File Upload