WordPress Plugin Vulnerabilities

Event Banner <= 1.3 - Arbitrary File Upload to RCE

Description

The plugin does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)

Proof of Concept

Affects Plugins

Plugin icon
free-event-banner
No known fix

References

CVE
CVE-2021-24252
URL
https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md
YouTube Video

Miscellaneous

Original Researcher
Jin Huang
Submitter
Jin Huang
Submitter website
https://github.com/jinhuang1102
Submitter twitter
JinHWhite412Ash
Verified
Yes
WPVDB ID
91e81c6d-f24d-4f87-bc13-746715af8f7c

Timeline

Publicly Published
2021-04-10 (about 4 years ago)
Added
2021-04-12 (about 4 years ago)
Last Updated
2021-04-14 (about 4 years ago)

Other

Published
Title
Published
2025-05-30
Title
SUMO Affiliates Pro <= 10.7.0 - Unauthenticated Arbitrary File Upload
Published
2015-04-04
Title
Work The Flow File Upload <= 2.5.2 - Shell Upload
Published
2016-06-07
Title
Wordpress Levo-Slideshow - Arbitrary File Upload
Published
2024-03-29
Title
Shortcode Addons <= 3.2.5 - Authenticated (Admin+) Arbitrary File Upload
Published
2024-11-27
Title
Tumult Hype Animations < 1.9.16 - Authenticated (Author+) Arbitrary File Upload via hypeanimations_panel Function