CVE-2021-24236 – The Imagements WordPress plugin through version... (How to Fix)

Q: What is the severity of CVE-2021-24236?

CVE-2021-24236 has a CVSS score of 9.8 (CRITICAL). The Imagements WordPress plugin through version 1.2.5 has an unauthenticated arbitrary file upload vulnerability that allows remote attackers to upload PHP files disguised as images, leading to remote code execution. This affects any WordPress site using the vulnerable plugin version. Attackers can compromise the entire web server through this flaw.

📋 TL;DR

The Imagements WordPress plugin through version 1.2.5 has an unauthenticated arbitrary file upload vulnerability that allows remote attackers to upload PHP files disguised as images, leading to remote code execution. This affects any WordPress site using the vulnerable plugin version. Attackers can compromise the entire web server through this flaw.

💻 Affected Systems

Products:

WordPress Imagements Plugin

Versions: 1.2.5 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress sites with the Imagements plugin installed and enabled.

📦 What is this software?

Imagements by Imagements Project

View all CVEs affecting Imagements →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with attacker gaining shell access, installing backdoors, stealing data, defacing websites, and pivoting to internal networks.

🟠

Likely Case

Website defacement, malware injection, credential theft, and data exfiltration through uploaded web shells.

🟢

If Mitigated

Attack blocked at web application firewall level or through proper file validation, resulting in no impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers only need to craft a multipart form request with a PHP file disguised as an image.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.6 or later

Vendor Advisory: https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea

Restart Required: No

Instructions:

1. Update Imagements plugin to version 1.2.6 or later via WordPress admin panel. 2. If auto-updates are disabled, manually download and install the latest version from WordPress.org.

🔧 Temporary Workarounds

Disable Imagements Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate imagements

Web Application Firewall Rule

all

Block file uploads with PHP extensions or suspicious content types.

🧯 If You Can't Patch

Disable the Imagements plugin immediately
Implement strict file upload validation at the web server level

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for Imagements plugin version 1.2.5 or earlier.

Check Version:

wp plugin get imagements --field=version

Verify Fix Applied:

Verify Imagements plugin is updated to version 1.2.6 or later in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to comment endpoints
POST requests to /wp-content/plugins/imagements/ with PHP file extensions
Multiple failed upload attempts with different content types

Network Indicators:

HTTP POST requests with multipart/form-data containing PHP code in image fields
Requests to newly uploaded PHP files in upload directories

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/imagements/" AND method="POST") AND (file_extension="php" OR content_type="application/x-php")

📊 Metadata

CVE ID: CVE-2021-24236

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: May 6, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea Exploit,Third Party Advisory
https://wpscan.com/vulnerability/8f24e74f-60e3-4100-9ab2-ec31b9c9cdea Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24236, you might also want to check these: