CVE-2021-24491
📋 TL;DR
The Fileviewer WordPress plugin through version 2.2 lacks CSRF protection for file upload and delete operations. This allows attackers to trick logged-in administrators into performing unauthorized file operations via malicious links or websites. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WordPress Fileviewer plugin
📦 What is this software?
Fileviewer by Fileviewer Project
⚠️ Risk & Real-World Impact
Worst Case
An attacker could upload malicious files (including webshells) and delete critical system files, potentially leading to complete site compromise, data loss, or defacement.
Likely Case
Attackers would use CSRF to upload backdoors or malware, then establish persistent access to the WordPress site for further exploitation.
If Mitigated
With proper CSRF protections, only authenticated users with appropriate permissions could perform file operations, limiting impact to authorized actions.
🎯 Exploit Status
Exploitation requires tricking a logged-in administrator to click a malicious link or visit a crafted page. No authentication bypass is needed beyond the CSRF attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3 or later
Vendor Advisory: https://wpscan.com/vulnerability/ddd37827-f4c1-4806-8846-d06d9fbf23dd
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Fileviewer plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin, then install version 2.3+ from WordPress repository.
🔧 Temporary Workarounds
Disable Fileviewer Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate fileviewer
Implement CSRF Protection Manually
allAdd nonce verification to plugin's file operations (requires code modification)
Add wp_verify_nonce() checks before file upload/delete operations in plugin PHP files
🧯 If You Can't Patch
- Remove the Fileviewer plugin completely and use alternative file management solutions
- Implement web application firewall rules to block CSRF attacks targeting the plugin endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Fileviewer version. If version is 2.2 or lower, the site is vulnerable.Check Version:
wp plugin get fileviewer --field=versionVerify Fix Applied:
After update, verify Fileviewer version is 2.3 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads via Fileviewer endpoints by administrator accounts
- File deletion events in Fileviewer logs without corresponding admin actions
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php?action=fileviewer_* endpoints with suspicious referer headers
- CSRF attack patterns in web server logs
SIEM Query:
source="web_server" AND (uri_path="/wp-admin/admin-ajax.php" AND query_string="action=fileviewer_*") AND NOT user_agent="WordPress/*"