CVE-2021-24123
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to upload arbitrary files, including PHP scripts, through the PowerPress plugin's podcast artwork feature. Attackers who compromise admin accounts can achieve remote code execution on affected WordPress sites. Only WordPress installations with PowerPress plugin versions before 8.3.8 are vulnerable.
💻 Affected Systems
- WordPress PowerPress plugin
📦 What is this software?
Powerpress by Blubrry
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, malware deployment, website defacement, and lateral movement within the network.
Likely Case
Website takeover, backdoor installation, data exfiltration, and use as part of a botnet or for phishing campaigns.
If Mitigated
Limited impact due to proper access controls, file upload restrictions, and web application firewalls blocking malicious uploads.
🎯 Exploit Status
Exploitation requires admin credentials. Attack chain is straightforward once admin access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.3.8
Vendor Advisory: https://wordpress.org/plugins/powerpress/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find PowerPress plugin. 4. Click 'Update Now' if available. 5. If manual update needed, download version 8.3.8+ from WordPress.org, deactivate old version, upload new version, and activate.
🔧 Temporary Workarounds
Restrict file upload extensions
allConfigure web server or application firewall to block upload of .php and other executable files
# Apache .htaccess example:
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Disable PowerPress plugin
linuxTemporarily disable the plugin until patching is possible
wp plugin deactivate powerpress
🧯 If You Can't Patch
- Implement strict access controls for admin accounts (MFA, strong passwords, limited admin users)
- Deploy web application firewall with file upload protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → PowerPress version. If version is below 8.3.8, system is vulnerable.Check Version:
wp plugin get powerpress --field=versionVerify Fix Applied:
Confirm PowerPress plugin version is 8.3.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/powerpress/
- PHP file uploads from admin users
- POST requests to /wp-admin/admin-ajax.php with upload parameters
Network Indicators:
- HTTP POST requests with file uploads to PowerPress endpoints
- Unexpected outbound connections from web server after file upload
SIEM Query:
source="web_access_logs" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "/powerpress/") AND method="POST" AND (user_agent CONTAINS "admin" OR params CONTAINS "upload")