CVE-2021-24212
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites using the WooCommerce Help Scout plugin before version 2.9.1. This can lead to remote code execution, malware uploads, or website defacement. All WordPress sites with the vulnerable plugin version are affected.
💻 Affected Systems
- WooCommerce Help Scout WordPress Plugin
📦 What is this software?
Help Scout by Woocommerce
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise via webshell upload leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Malware upload leading to SEO spam, phishing pages, or cryptocurrency miners being deployed on the server.
If Mitigated
File upload attempts blocked at web application firewall level with no successful exploitation.
🎯 Exploit Status
Simple HTTP POST request to vulnerable endpoint with file upload. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.1
Vendor Advisory: https://woocommerce.com/products/woocommerce-help-scout/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WooCommerce Help Scout'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.9.1+ from WooCommerce.com and manually update.
🔧 Temporary Workarounds
Block vulnerable endpoint via .htaccess
linuxPrevent access to the vulnerable file upload endpoint
# Add to .htaccess in WordPress root directory
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|php-s|pht|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Block specific vulnerable endpoint
RewriteRule ^wp-content/uploads/hstmp/.*\.php$ - [F,L]
Disable plugin temporarily
allDeactivate the vulnerable plugin until patched
wp plugin deactivate woocommerce-help-scout
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file uploads to /wp-content/uploads/hstmp/
- Restrict file permissions on wp-content/uploads/hstmp directory to prevent PHP execution
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins → Installed Plugins. If version is below 2.9.1, you are vulnerable.Check Version:
wp plugin get woocommerce-help-scout --field=versionVerify Fix Applied:
Confirm plugin version is 2.9.1 or higher. Test file upload functionality to ensure proper authentication checks.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/uploads/hstmp/ with file uploads
- Unauthenticated requests to plugin-specific endpoints
- File creation in hstmp directory with suspicious extensions (.php, .phtml, .phar)
Network Indicators:
- Unusual file upload traffic to WordPress site from unauthenticated sources
- POST requests with multipart/form-data to hstmp directory
SIEM Query:
source="web_server_logs" AND (uri_path="/wp-content/uploads/hstmp/" OR user_agent CONTAINS "curl" OR user_agent CONTAINS "wget") AND http_method="POST"🔗 References
- http://dzv365zjfbd8v.cloudfront.net/changelogs/woocommerce-help-scout/changelog.txt
- https://wpscan.com/vulnerability/cf9305e8-f5bc-45c3-82db-0ef00fd46129
- http://dzv365zjfbd8v.cloudfront.net/changelogs/woocommerce-help-scout/changelog.txt
- https://wpscan.com/vulnerability/cf9305e8-f5bc-45c3-82db-0ef00fd46129
