CVE-2021-24222 – The WP-Curriculo Vitae Free WordPress plugin th... (How to Fix)

Q: What is the severity of CVE-2021-24222?

CVE-2021-24222 has a CVSS score of 9.8 (CRITICAL). The WP-Curriculo Vitae Free WordPress plugin through version 6.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files without extension restrictions. This can lead to remote code execution (RCE) on affected WordPress sites. Any WordPress installation using this vulnerable plugin version is at risk.

📋 TL;DR

The WP-Curriculo Vitae Free WordPress plugin through version 6.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files without extension restrictions. This can lead to remote code execution (RCE) on affected WordPress sites. Any WordPress installation using this vulnerable plugin version is at risk.

💻 Affected Systems

Products:

WP-Curriculo Vitae Free WordPress Plugin

Versions: All versions through 6.3

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when the [formCadastro] shortcode is used on any page.

📦 What is this software?

Wp Curriculo Vitae Free by Williamluis

View all CVEs affecting Wp Curriculo Vitae Free →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, defacement, malware distribution, or ransomware deployment.

🟠

Likely Case

Website defacement, backdoor installation, credential theft, and lateral movement within the hosting environment.

🟢

If Mitigated

Limited impact with proper file upload restrictions and web application firewalls in place.

🌐 Internet-Facing: HIGH - Unauthenticated exploit targeting internet-facing WordPress sites.

🏢 Internal Only: MEDIUM - Lower risk if only accessible internally, but still dangerous if exploited.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple file upload bypass with publicly available proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 6.4 or later

Vendor Advisory: https://wordpress.org/plugins/curriculo-vitae/

Restart Required: No

Instructions:

1. Update WP-Curriculo Vitae plugin to version 6.4+ via WordPress admin panel. 2. Verify update completes successfully. 3. Clear WordPress cache if applicable.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate curriculo-vitae

Restrict File Uploads

linux

Add web server rules to block PHP/executable file uploads to plugin directories.

# Add to .htaccess in wp-content/uploads/curriculo-vitae/
<FilesMatch "\.(php|phtml|phar|php3|php4|php5|php7|php8|pl|py|jsp|asp|sh|cgi|exe)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Remove or disable the [formCadastro] shortcode from all pages/posts
Implement web application firewall (WAF) rules to block malicious file uploads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins page for WP-Curriculo Vitae version 6.3 or earlier.

Check Version:

wp plugin list --name=curriculo-vitae --field=version

Verify Fix Applied:

Confirm plugin version is 6.4+ and test file upload functionality with restricted extensions.

📡 Detection & Monitoring

Log Indicators:

Multiple failed/successful file uploads to /wp-content/uploads/curriculo-vitae/
POST requests to pages containing [formCadastro] with file uploads
Execution of PHP files from upload directory

Network Indicators:

Unusual outbound connections from WordPress server after file uploads
POST requests with file uploads to WordPress pages

SIEM Query:

source="wordpress.log" AND ("curriculo-vitae" OR "formCadastro") AND ("upload" OR "file")

📊 Metadata

CVE ID: CVE-2021-24222

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: April 12, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/jinhuang1102/CVE-ID-Reports/blob/145fc4e34c9b9799275c8e19d6b02f544c88126b/WP_Curriculo_Free.md Third Party Advisory
https://wpscan.com/vulnerability/4d715de6-8595-4da9-808a-04a28e409900 Exploit,Third Party Advisory
https://github.com/jinhuang1102/CVE-ID-Reports/blob/145fc4e34c9b9799275c8e19d6b02f544c88126b/WP_Curriculo_Free.md Third Party Advisory
https://wpscan.com/vulnerability/4d715de6-8595-4da9-808a-04a28e409900 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24222, you might also want to check these: