CVE-2021-24161
📋 TL;DR
This vulnerability allows attackers to trick WordPress administrators into uploading malicious zip archives through the Responsive Menu plugin. Successful exploitation leads to remote code execution, affecting all WordPress sites using vulnerable versions of the Responsive Menu plugin (both free and Pro editions).
💻 Affected Systems
- Responsive Menu WordPress Plugin (Free)
- Responsive Menu WordPress Plugin (Pro)
📦 What is this software?
Responsive Menu by Expresstech
Responsive Menu by Expresstech
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise with attacker gaining full control over the WordPress installation, allowing data theft, defacement, malware distribution, and lateral movement to other systems.
Likely Case
Attacker uploads web shell or backdoor, establishes persistent access, and uses the compromised site for further attacks or data exfiltration.
If Mitigated
Attack fails due to administrator awareness, file upload restrictions, or security plugins blocking malicious uploads.
🎯 Exploit Status
Exploitation requires social engineering to trick an administrator into uploading a malicious zip file. Once uploaded, the PHP files can be accessed directly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.4
Vendor Advisory: https://wordpress.org/plugins/responsive-menu/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Responsive Menu' and click 'Update Now'. 4. Alternatively, download version 4.0.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Responsive Menu plugin until patched
wp plugin deactivate responsive-menu
Restrict File Uploads
linuxConfigure web server to block execution of PHP files in upload directories
Add 'php_flag engine off' to .htaccess in wp-content/uploads directory
🧯 If You Can't Patch
- Remove administrator upload capabilities for non-trusted users
- Implement web application firewall rules to block malicious file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Responsive Menu version. If version is below 4.0.4, you are vulnerable.Check Version:
wp plugin get responsive-menu --field=versionVerify Fix Applied:
Confirm Responsive Menu plugin version is 4.0.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads via admin interface
- Access to PHP files in upload directories with suspicious names
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with file upload parameters
- Requests to PHP files in upload directories from unusual IPs
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" AND "action=upload_zip" OR "wp-content/uploads/*.php")🔗 References
- https://wpscan.com/vulnerability/efca27e0-bdb6-4497-8330-081f909d6933
- https://www.wordfence.com/blog/2021/02/multiple-vulnerabilities-patched-in-responsive-menu-plugin/
- https://wpscan.com/vulnerability/efca27e0-bdb6-4497-8330-081f909d6933
- https://www.wordfence.com/blog/2021/02/multiple-vulnerabilities-patched-in-responsive-menu-plugin/
