CVE-2021-24499
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files, including PHP scripts, to WordPress sites using the Workreap theme. The flaw exists in AJAX endpoints that lack authentication and file validation. Any WordPress site with Workreap theme versions before 2.2.2 is affected.
💻 Affected Systems
- WordPress Workreap Theme
📦 What is this software?
Workreap by Amentotech
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for further attacks.
Likely Case
Website defacement, malware distribution, or credential theft through uploaded web shells.
If Mitigated
No impact if proper file upload validation and authentication are enforced.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.2
Vendor Advisory: https://wpscan.com/vulnerability/74611d5f-afba-42ae-bc19-777cdf2808cb
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Update Workreap theme to version 2.2.2 or later. 4. Clear any caching plugins.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allAdd code to functions.php to disable the vulnerable file upload endpoints
add_action('init', function() { remove_action('wp_ajax_workreap_award_temp_file_uploader', 'workreap_award_temp_file_uploader'); remove_action('wp_ajax_nopriv_workreap_award_temp_file_uploader', 'workreap_award_temp_file_uploader'); remove_action('wp_ajax_workreap_temp_file_uploader', 'workreap_temp_file_uploader'); remove_action('wp_ajax_nopriv_workreap_temp_file_uploader', 'workreap_temp_file_uploader'); });
Block uploads to temp directory
linuxAdd .htaccess rules to prevent PHP execution in uploads directory
<Files *.php>
deny from all
</Files>
🧯 If You Can't Patch
- Disable the Workreap theme and switch to a secure alternative
- Implement web application firewall rules to block requests to vulnerable AJAX endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress theme version in Appearance > Themes or examine style.css for version numberCheck Version:
grep 'Version:' wp-content/themes/workreap/style.cssVerify Fix Applied:
Confirm Workreap theme version is 2.2.2 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=workreap_temp_file_uploader or workreap_award_temp_file_uploader
- File uploads to /wp-content/uploads/workreap-temp/ directory
- Execution of PHP files from uploads directory
Network Indicators:
- HTTP POST requests to admin-ajax.php with file upload parameters
- Unusual file types (.php, .phtml) being uploaded
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND (post_data CONTAINS "workreap_temp_file_uploader" OR post_data CONTAINS "workreap_award_temp_file_uploader"))🔗 References
- http://packetstormsecurity.com/files/172876/WordPress-Workreap-2.2.2-Shell-Upload.html
- https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/
- https://wpscan.com/vulnerability/74611d5f-afba-42ae-bc19-777cdf2808cb
- http://packetstormsecurity.com/files/172876/WordPress-Workreap-2.2.2-Shell-Upload.html
- https://jetpack.com/2021/07/07/multiple-vulnerabilities-in-workreap-theme/
- https://wpscan.com/vulnerability/74611d5f-afba-42ae-bc19-777cdf2808cb
