CVE-2021-24472
📋 TL;DR
This vulnerability allows unauthenticated attackers to make the web server fetch and display content from any URI via exposed proxy functionality in affected WordPress themes/plugins. It enables Server-Side Request Forgery (SSRF) and Remote File Inclusion (RFI) attacks. Users of OnAir2 WordPress theme before 3.9.9.2 or QT KenthaRadio WordPress plugin before 2.0.2 are affected.
💻 Affected Systems
- OnAir2 WordPress theme
- QT KenthaRadio WordPress plugin
📦 What is this software?
Kentharadio by Qantumthemes
Onair2 by Qantumthemes
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via RFI leading to remote code execution, data exfiltration, or lateral movement to internal systems via SSRF.
Likely Case
Information disclosure from internal services, port scanning of internal networks, or limited file inclusion attacks.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and input validation are in place.
🎯 Exploit Status
Simple HTTP requests to the exposed proxy endpoint can trigger the vulnerability. Public exploit code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OnAir2 theme 3.9.9.2+, QT KenthaRadio plugin 2.0.2+
Vendor Advisory: https://wpscan.com/vulnerability/17591ac5-88fa-4cae-a61a-4dcf5dc0b72a
Restart Required: No
Instructions:
1. Update OnAir2 theme to version 3.9.9.2 or higher. 2. Update QT KenthaRadio plugin to version 2.0.2 or higher. 3. Verify updates are applied correctly.
🔧 Temporary Workarounds
Disable vulnerable components
linuxTemporarily disable the affected theme or plugin until patching is possible.
wp plugin deactivate qt-kentha-radio
wp theme disable onair2
WAF rule blocking
allBlock requests to the proxy endpoint using web application firewall rules.
🧯 If You Can't Patch
- Implement strict network segmentation to limit server's outbound connections
- Deploy web application firewall with SSRF and RFI protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for theme/plugin versions or use: wp theme list --fields=name,version and wp plugin list --fields=name,versionCheck Version:
wp theme list --fields=name,version | grep onair2 && wp plugin list --fields=name,version | grep kenthaVerify Fix Applied:
Confirm theme version is 3.9.9.2+ and plugin version is 2.0.2+ using version check commands.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server
- Requests to internal IP addresses or localhost from web application
- Access to proxy-related endpoints without authentication
Network Indicators:
- HTTP requests to unusual external domains from web server IP
- Port scanning patterns originating from web server
SIEM Query:
source="web_server_logs" AND (uri CONTAINS "proxy" OR uri CONTAINS "fetch") AND response_code=200