CVE-2021-24252
📋 TL;DR
The Event Banner WordPress plugin through version 1.3 has an unrestricted file upload vulnerability that allows authenticated admin users to upload arbitrary executable files like .php or .exe, leading to remote code execution. Due to missing CSRF protection, attackers can trick admins into uploading malicious files, and missing authorization checks could allow local file inclusion attacks. This affects all WordPress sites running the vulnerable plugin versions.
💻 Affected Systems
- Event Banner WordPress Plugin
📦 What is this software?
Event Banner by Wp Eventmanager
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to execute arbitrary commands, install backdoors, steal data, or pivot to other systems.
Likely Case
Attackers upload web shells or malware to gain persistent access, deface websites, or use the server for malicious activities like cryptocurrency mining or phishing.
If Mitigated
Limited impact with proper file upload restrictions, admin account security, and network segmentation preventing lateral movement.
🎯 Exploit Status
Exploitation requires admin credentials or CSRF attack against admin user. Multiple attack vectors including file upload and LFI.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4 or later
Vendor Advisory: https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c
Restart Required: No
Instructions:
1. Update Event Banner plugin to version 1.4 or later via WordPress admin dashboard. 2. Verify update completed successfully. 3. Test file upload functionality.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Event Banner plugin until patched
wp plugin deactivate event-banner
Restrict File Uploads
linuxConfigure web server to block execution of uploaded files in upload directories
Add 'Options -ExecCGI' and 'RemoveHandler .php .php3 .php4 .php5 .php7 .phtml' to upload directory .htaccess
🧯 If You Can't Patch
- Remove admin access from untrusted users and implement strict access controls
- Implement web application firewall rules to block malicious file uploads and LFI attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin dashboard for Event Banner plugin version. If version is 1.3 or earlier, system is vulnerable.Check Version:
wp plugin get event-banner --field=versionVerify Fix Applied:
Verify plugin version is 1.4 or later and test file upload functionality with non-image files (should be rejected).📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/event-banner/ with .php, .exe, or other executable extensions
- Multiple failed upload attempts with suspicious file types
- Admin user uploading files from unusual IP addresses
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with file upload parameters
- HTTP requests to newly uploaded .php files in upload directories
SIEM Query:
source="web_server" AND (uri_path="/wp-admin/admin-ajax.php" AND method="POST" AND form_data CONTAINS "action=event_banner_upload") OR (uri_path CONTAINS "/wp-content/uploads/event-banner/" AND uri_path ENDS WITH ".php")