CVE-2021-24224
📋 TL;DR
This vulnerability in the Easy Form Builder WordPress plugin allows authenticated users with low privileges to upload arbitrary files without security checks. This can lead to remote code execution (RCE) on affected WordPress sites. Any WordPress installation using vulnerable versions of this plugin is affected.
💻 Affected Systems
- Easy Form Builder WordPress Plugin
📦 What is this software?
Easy Form Builder By Bitware by Easy Form Builder By Bitware Project
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to install malware, steal data, or use the server for further attacks.
Likely Case
Attackers upload web shells or malicious scripts to gain persistent access, deface websites, or deploy ransomware.
If Mitigated
If proper file upload restrictions and user permission controls are in place, impact is limited to unauthorized file uploads without execution.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.0
Vendor Advisory: https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484
Restart Required: No
Instructions:
1. Update Easy Form Builder plugin to latest version. 2. If update not available, disable and remove the plugin. 3. Check for any uploaded malicious files in wp-content/uploads/ directory.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the EFBP_verify_upload_file AJAX action
Add to theme's functions.php: remove_action('wp_ajax_EFBP_verify_upload_file', 'EFBP_verify_upload_file');
Add to theme's functions.php: remove_action('wp_ajax_nopriv_EFBP_verify_upload_file', 'EFBP_verify_upload_file');
Restrict file uploads via .htaccess
linuxBlock execution of uploaded files in uploads directory
Add to wp-content/uploads/.htaccess: <Files *.php> deny from all </Files>
Add to wp-content/uploads/.htaccess: <Files *.phtml> deny from all </Files>
🧯 If You Can't Patch
- Disable and remove the Easy Form Builder plugin completely
- Implement strict file upload validation at web server level
- Restrict user registration and strengthen authentication controls
- Monitor wp-content/uploads directory for suspicious files
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Easy Form Builder. If version is 1.0 or earlier, you are vulnerable.Check Version:
wp plugin list --name=easy-form-builder --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify plugin version is higher than 1.0. Test file upload functionality with non-admin user.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=EFBP_verify_upload_file
- File uploads to wp-content/uploads/ with unusual extensions (.php, .phtml, .php5)
- Unauthorized user accounts performing file uploads
Network Indicators:
- HTTP POST requests to admin-ajax.php with file upload parameters from non-admin users
- Unusual outbound connections from WordPress server after file uploads
SIEM Query:
source="web_access.log" AND uri="/wp-admin/admin-ajax.php" AND post_data="action=EFBP_verify_upload_file"🔗 References
- https://github.com/jinhuang1102/CVE-ID-Reports/blob/e4c33529b20fa70e3a764ff9b1125839fb9900b5/Easy%20Form%20Builder.md
- https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484
- https://github.com/jinhuang1102/CVE-ID-Reports/blob/e4c33529b20fa70e3a764ff9b1125839fb9900b5/Easy%20Form%20Builder.md
- https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484
