Login Sign Up

CVE-2021-24453

8.8 HIGH
Remote Code Execution Path Traversal

📋 TL;DR

The Include Me WordPress plugin through version 1.2.1 contains a path traversal vulnerability that allows attackers to read arbitrary files on the server. This can lead to remote code execution through log poisoning techniques, potentially compromising the entire web server. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • Include Me WordPress Plugin
Versions: All versions up to and including 1.2.1
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the plugin activated.

📦 What is this software?

Include Me by Include Me Project

View all CVEs affecting Include Me →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary code, steal data, install backdoors, and pivot to other systems.

🟠

Likely Case

Arbitrary file read leading to sensitive information disclosure (config files, credentials) and potential RCE through log poisoning.

🟢

If Mitigated

Limited impact if proper file permissions, web application firewalls, and security monitoring are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Path traversal to arbitrary file read is straightforward; RCE requires additional steps like log poisoning.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.2 or later

Vendor Advisory: https://wpscan.com/vulnerability/78575072-4e04-4a8a-baec-f313cfffe829

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Include Me' plugin. 4. Click 'Update Now' if update available. 5. If no update, deactivate and delete the plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Deactivate and remove the Include Me plugin if patching isn't immediately possible.

wp plugin deactivate include-me
wp plugin delete include-me

Web Application Firewall rule

linux

Block path traversal attempts in web requests.

# Example ModSecurity rule: SecRule ARGS "\.\./" "id:1001,phase:2,deny,msg:'Path Traversal Attempt'

🧯 If You Can't Patch

  • Implement strict file permissions (disable world-readable files, especially logs)
  • Deploy web application firewall with path traversal detection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Include Me' version ≤1.2.1

Check Version:

wp plugin get include-me --field=version

Verify Fix Applied:

Verify plugin version is 1.2.2 or higher, or plugin is removed entirely

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests with '../' patterns to plugin endpoints
  • Unusual file access attempts in web server logs

Network Indicators:

  • GET/POST requests containing path traversal sequences to /wp-content/plugins/include-me/

SIEM Query:

web_access_logs WHERE url CONTAINS '/wp-content/plugins/include-me/' AND (url CONTAINS '../' OR url CONTAINS '..%2F')

📊 Metadata

CVE ID: CVE-2021-24453
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: July 19, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24453, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)