CVE-2021-24311
📋 TL;DR
This vulnerability allows any authenticated WordPress user to upload arbitrary files via the wp_ajax_upload-remote-file AJAX action in the External Media plugin. This can lead to remote code execution and complete site compromise. All WordPress sites running vulnerable versions of the External Media plugin are affected.
💻 Affected Systems
- WordPress External Media plugin
📦 What is this software?
External Media by External Media Project
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover via webshell upload leading to data theft, defacement, malware distribution, and server compromise.
Likely Case
Unauthorized file upload leading to webshell installation and limited code execution within the WordPress context.
If Mitigated
If proper file type validation and authentication controls exist, impact is limited to unauthorized file storage without execution.
🎯 Exploit Status
Exploitation requires authenticated user access but is trivial once authenticated. Multiple security vendors have confirmed active exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.34
Vendor Advisory: https://wordpress.org/plugins/external-media/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find External Media plugin. 4. Click 'Update Now' if available, or download version 1.0.34+ from WordPress repository. 5. Replace plugin files with patched version.
🔧 Temporary Workarounds
Disable External Media plugin
allTemporarily deactivate the vulnerable plugin until patched version can be installed.
wp plugin deactivate external-media
Restrict AJAX endpoints
linuxBlock access to wp-admin/admin-ajax.php for non-administrative users via web application firewall or .htaccess.
# Add to .htaccess:
<Files "admin-ajax.php">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
🧯 If You Can't Patch
- Remove all non-essential user accounts and enforce strong authentication for remaining accounts.
- Implement file upload restrictions at web server level to block execution of uploaded PHP files.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → External Media → Version. If version is below 1.0.34, system is vulnerable.Check Version:
wp plugin get external-media --field=versionVerify Fix Applied:
Confirm External Media plugin version is 1.0.34 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=upload-remote-file
- File uploads to wp-content/uploads/ with suspicious extensions (.php, .phtml)
Network Indicators:
- Unusual AJAX requests from authenticated users to upload endpoints
- Traffic patterns showing file uploads followed by execution attempts
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data="action=upload-remote-file")🔗 References
- https://wpscan.com/vulnerability/4fb90999-6f91-4200-a0cc-bfe9b34a5de9
- https://www.wordfence.com/blog/2021/05/critical-vulnerability-patched-in-external-media-plugin/
- https://wpscan.com/vulnerability/4fb90999-6f91-4200-a0cc-bfe9b34a5de9
- https://www.wordfence.com/blog/2021/05/critical-vulnerability-patched-in-external-media-plugin/
