CVE-2021-24936 – This vulnerability in the WP Extra File Types W... (How to Fix)

Q: What is the severity of CVE-2021-24936?

CVE-2021-24936 has a CVSS score of 8.0 (HIGH). This vulnerability in the WP Extra File Types WordPress plugin allows attackers to trick logged-in administrators into changing plugin settings without their knowledge via CSRF attacks. The settings lack proper sanitization, enabling cross-site scripting (XSS) attacks. WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability in the WP Extra File Types WordPress plugin allows attackers to trick logged-in administrators into changing plugin settings without their knowledge via CSRF attacks. The settings lack proper sanitization, enabling cross-site scripting (XSS) attacks. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WP Extra File Types WordPress Plugin

Versions: Versions before 0.5.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the plugin active and an administrator logged in.

📦 What is this software?

Wp Extra File Types by Wp Extra File Types Project

View all CVEs affecting Wp Extra File Types →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious scripts into admin settings pages, potentially compromising administrator accounts, stealing session cookies, or redirecting users to malicious sites.

🟠

Likely Case

Attackers would use social engineering to trick administrators into clicking malicious links, leading to XSS payload execution in the admin panel.

🟢

If Mitigated

With proper CSRF protection and input validation, the attack would fail, and no unauthorized changes could be made.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick an admin into clicking a malicious link while logged in.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.1

Vendor Advisory: https://wpscan.com/vulnerability/4fb61b84-ff5f-4b4c-a516-54b749f9611e

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Extra File Types' and update to version 0.5.1 or later. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate wp-extra-file-types

Implement CSRF Protection

all

Add custom CSRF tokens to plugin settings forms if source code access is available.

🧯 If You Can't Patch

Restrict admin access to trusted networks only.
Implement web application firewall (WAF) rules to block CSRF attacks.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 0.5.1, it is vulnerable.

Check Version:

wp plugin get wp-extra-file-types --field=version

Verify Fix Applied:

Confirm plugin version is 0.5.1 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unauthorized changes to wp_extra_file_types settings in database logs.
Admin user actions from unexpected IP addresses or user-agents.

Network Indicators:

HTTP POST requests to /wp-admin/admin.php?page=wp-extra-file-types from non-admin sources.

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin.php" AND query_string="page=wp-extra-file-types") AND http_method="POST"

📊 Metadata

CVE ID: CVE-2021-24936

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: January 24, 2022

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/4fb61b84-ff5f-4b4c-a516-54b749f9611e Exploit,Third Party Advisory
https://wpscan.com/vulnerability/4fb61b84-ff5f-4b4c-a516-54b749f9611e Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24936, you might also want to check these: