CVE-2021-24248
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to upload malicious PHP files through the Business Directory Plugin's import functionality, leading to remote code execution. The plugin uses a blacklist approach that fails to block dangerous file extensions like .php4. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Business Directory Plugin – Easy Listing Directories for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with attacker gaining complete control over the WordPress site and potentially the underlying server through remote code execution.
Likely Case
Attacker uploads web shell, gains persistent access to the WordPress site, and can deface content, steal data, or install malware.
If Mitigated
If proper file upload restrictions and web application firewalls are in place, the attack would be blocked or detected before execution.
🎯 Exploit Status
Exploitation requires administrator credentials. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.11.1
Vendor Advisory: https://wpscan.com/vulnerability/ca886a34-cd2b-4032-9de1-8089b5cf3001
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Business Directory Plugin – Easy Listing Directories'. 4. Click 'Update Now' if available, or download version 5.11.1+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate business-directory-plugin
Restrict file uploads
linuxConfigure web server to block execution of .php4 files and other dangerous extensions
Add to .htaccess: <FilesMatch "\.(php4|php5|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove administrator access from untrusted users and implement principle of least privilege
- Implement web application firewall rules to block uploads of files with dangerous extensions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Business Directory Plugin version. If version is below 5.11.1, it's vulnerable.Check Version:
wp plugin get business-directory-plugin --field=versionVerify Fix Applied:
Confirm plugin version is 5.11.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- File uploads with .php4, .php5, .phtml extensions in web server logs
- Unusual POST requests to /wp-admin/admin-ajax.php with import-related parameters
Network Indicators:
- HTTP POST requests containing file uploads to plugin import endpoints
- Subsequent requests to uploaded PHP files
SIEM Query:
source="web_server" AND (uri_path="*import*" OR file_extension IN ("php4", "php5", "phtml"))