N5 Upload Form <= 1.0 – Unauthenticated Arbitrary File Upload to RCE | CVE 2021-24223

Description

The plugin suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5(uniqid(rand())), however, in the case of misconfigured servers with Directory listing enabled, accessing it is trivial.

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

n5-uploadform

No known fix

References

CVE

CVE-2021-24223

URL

https://github.com/jinhuang1102/CVE-ID-Reports/blob/12863f80ced5361e2e2c3f7209566ab3730aa37b/N5_upload.md

Miscellaneous

Original Researcher

Jin Huang

Submitter

Jin Huang

Submitter website

https://github.com/jinhuang1102

Submitter twitter

JinHuan70342329

Verified

Yes

WPVDB ID

d7a72183-0cd1-45de-b98b-2e295b27e5db

Timeline

Publicly Published

2021-03-26 (about 4 years ago)

Added

2021-03-26 (about 4 years ago)

Last Updated

2021-04-01 (about 4 years ago)

Other

Published

Title

Published

2014-08-01

Title

Top Quark Architecture 2.1.0 - lib/js/fancyupload/showcase/batch/script.php File Upload PHP Code Execution

Published

2025-04-09

Title

Squeeze < 1.6.1 - Authenticated (Admin+) Arbitrary File Upload

Published

2021-06-29

Title

Super Progressive Web Apps < 2.1.12 - Authenticated (Low Privileged) Arbitrary File Upload to RCE

Published

2025-09-08

Title

Doccure Core < 1.5.4 - Unauthenticated Arbitrary File Upload

Published

2025-11-24

Title

Royal Elementor Addons and Templates < 1.7.1037 - Unauthenticated Media File Upload