CVE-2021-24663
📋 TL;DR
The Simple Schools Staff Directory WordPress plugin through version 1.1 contains an unrestricted file upload vulnerability that allows authenticated administrators to upload arbitrary files, including PHP scripts. This can lead to remote code execution on the web server. Only WordPress sites using this specific plugin are affected.
💻 Affected Systems
- Simple Schools Staff Directory WordPress Plugin
📦 What is this software?
Simple Schools Staff Directory by Simple Schools Staff Directory Project
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to execute arbitrary commands, install malware, steal data, or pivot to other systems.
Likely Case
Webshell installation leading to data theft, defacement, or use as part of a botnet.
If Mitigated
No impact if proper file type validation is implemented or plugin is removed.
🎯 Exploit Status
Exploitation requires admin credentials. Public exploit scripts exist for this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2 or later
Vendor Advisory: https://wpscan.com/vulnerability/8b5b5b57-50c5-4cd8-9171-168c3e9df46a
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Simple Schools Staff Directory. 4. Update to version 1.2 or later. 5. If update not available, deactivate and delete the plugin.
🔧 Temporary Workarounds
Remove upload capability
allRestrict file uploads to admin users or disable the logo upload feature
Edit plugin files to remove or restrict upload functionality
Web server file type restrictions
linuxConfigure web server to block execution of uploaded PHP files
Add to .htaccess: <FilesMatch "\.php$"> Deny from all </FilesMatch>
🧯 If You Can't Patch
- Deactivate and remove the Simple Schools Staff Directory plugin immediately
- Implement strict web application firewall rules to block file uploads to the affected endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Simple Schools Staff Directory version. If version is 1.1 or earlier, you are vulnerable.Check Version:
wp plugin list --name="Simple Schools Staff Directory" --field=versionVerify Fix Applied:
Verify plugin version is 1.2 or later. Test logo upload functionality with non-image files to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/simple-schools-staff-directory/
- POST requests to /wp-admin/admin-ajax.php with action=sssd_upload_logo
Network Indicators:
- File uploads containing PHP code or unusual file extensions
- HTTP requests with Content-Type mismatch for image uploads
SIEM Query:
source="web_server" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="sssd_upload_logo")