CVE-2021-25119 – The AGIL WordPress plugin through version 1.0 h... (How to Fix)

Q: What is the severity of CVE-2021-25119?

CVE-2021-25119 has a CVSS score of 7.2 (HIGH). The AGIL WordPress plugin through version 1.0 has an unrestricted file upload vulnerability that allows authenticated administrators to upload arbitrary files, including PHP scripts, leading to remote code execution. This affects WordPress sites running the vulnerable plugin version. Attackers with admin credentials can achieve full server compromise.

📋 TL;DR

The AGIL WordPress plugin through version 1.0 has an unrestricted file upload vulnerability that allows authenticated administrators to upload arbitrary files, including PHP scripts, leading to remote code execution. This affects WordPress sites running the vulnerable plugin version. Attackers with admin credentials can achieve full server compromise.

💻 Affected Systems

Products:

AGIL WordPress Plugin

Versions: All versions through 1.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress admin privileges to exploit. The plugin automatically extracts uploaded zip files without validating contents.

📦 What is this software?

Automatic Grid Image Listing by Wpsocket

View all CVEs affecting Automatic Grid Image Listing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with attacker gaining shell access, installing backdoors, stealing data, and using the server for further attacks.

🟠

Likely Case

Attacker uploads web shell and gains persistent access to the WordPress server, potentially compromising the entire site and database.

🟢

If Mitigated

No impact if proper file type validation is implemented or plugin is disabled/removed.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and admin credentials can be compromised through various means.

🏢 Internal Only: MEDIUM - Internal attackers with admin access could exploit this, but requires privileged credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials but is straightforward once obtained. Public exploit details exist in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - plugin appears abandoned

Vendor Advisory: https://wpscan.com/vulnerability/47235989-d9f1-48a5-9799-fdef0889bf8a

Restart Required: No

Instructions:

1. Remove the AGIL plugin completely from your WordPress installation. 2. Delete all plugin files from /wp-content/plugins/agil/. 3. Verify no residual files remain.

🔧 Temporary Workarounds

Disable Plugin

all

Deactivate the AGIL plugin in WordPress admin panel to prevent exploitation.

Navigate to WordPress Admin > Plugins > Installed Plugins > Deactivate AGIL

Restrict File Uploads

linux

Add server-side restrictions to block PHP file uploads via .htaccess or web server config.

Add to .htaccess: <FilesMatch "\.(php|php5|php7|phtml)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Remove admin access from untrusted users and implement strong password policies
Implement web application firewall rules to block suspicious file upload patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for AGIL plugin version 1.0 or earlier.

Check Version:

WordPress admin panel or check /wp-content/plugins/agil/ readme.txt file

Verify Fix Applied:

Confirm AGIL plugin is completely removed from /wp-content/plugins/ directory and not listed in WordPress plugins.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to WordPress uploads directory
POST requests to plugin endpoints with zip files
Execution of unexpected PHP files in uploads directory

Network Indicators:

HTTP POST requests containing zip files to /wp-content/plugins/agil/ endpoints
Subsequent requests to newly uploaded PHP files

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/agil/" AND method="POST" AND file_extension="zip")

📊 Metadata

CVE ID: CVE-2021-25119

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: May 16, 2022

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/47235989-d9f1-48a5-9799-fdef0889bf8a Exploit,Third Party Advisory
https://wpscan.com/vulnerability/47235989-d9f1-48a5-9799-fdef0889bf8a Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25119, you might also want to check these: