CVE-2021-24240
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to upload arbitrary files via the Business Hours Pro WordPress plugin's manual update functionality, leading to remote code execution. It affects WordPress sites running Business Hours Pro plugin version 5.5.0 and earlier. Attackers can take full control of vulnerable websites without any authentication.
💻 Affected Systems
- Business Hours Pro WordPress Plugin
📦 What is this software?
Business Hours Pro by Aivahthemes
⚠️ Risk & Real-World Impact
Worst Case
Complete website compromise, data theft, defacement, malware distribution, and lateral movement to other systems on the network.
Likely Case
Website takeover, backdoor installation, credential theft, and SEO spam injection.
If Mitigated
Attack blocked at web application firewall level or plugin disabled, no impact.
🎯 Exploit Status
Exploitation is straightforward - attackers can upload malicious PHP files without authentication using the plugin's update mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.1 or later
Vendor Advisory: https://codecanyon.net/item/business-hours-pro-wordpress-plugin/9414879
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find Business Hours Pro. 4. Click 'Update Now' if available. 5. If no update available, download latest version from CodeCanyon and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Business Hours Pro plugin until patched.
wp plugin deactivate business-hours-pro
Block Update Endpoint
linuxBlock access to the plugin's update functionality via web application firewall or .htaccess.
# Add to .htaccess:
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Or block specific update endpoint if known
🧯 If You Can't Patch
- Remove the Business Hours Pro plugin completely from the WordPress installation.
- Implement strict file upload restrictions at the web server level and monitor for suspicious file uploads.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Business Hours Pro version. If version is 5.5.0 or earlier, you are vulnerable.Check Version:
wp plugin get business-hours-pro --field=versionVerify Fix Applied:
Verify plugin version is 5.5.1 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to plugin directories
- POST requests to plugin update endpoints from unauthenticated users
- Execution of unexpected PHP files in wp-content/plugins/business-hours-pro/
Network Indicators:
- HTTP POST requests to /wp-content/plugins/business-hours-pro/update.php or similar endpoints
- File uploads with PHP extensions to plugin directories
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/business-hours-pro/update.php" OR uri_path CONTAINS "business-hours-pro/update") AND http_method="POST"