CVE-2021-4354
📋 TL;DR
This vulnerability in the PWA for WP & AMP WordPress plugin allows authenticated attackers to upload arbitrary files due to missing file type validation. Attackers could potentially achieve remote code execution by uploading malicious files like PHP shells. WordPress sites using vulnerable plugin versions up to 1.7.32 are affected.
💻 Affected Systems
- PWA for WP & AMP WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to execute arbitrary commands, steal data, install backdoors, or pivot to other systems.
Likely Case
Website defacement, data theft, or installation of cryptocurrency miners or malware through uploaded malicious files.
If Mitigated
Unauthorized file uploads blocked, but authenticated attackers could still attempt exploitation attempts visible in logs.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authentication is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.33 and later
Vendor Advisory: https://wordpress.org/plugins/pwa-for-wp/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'PWA for WP & AMP' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.7.33+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable function via filter
allAdd WordPress filter to disable the vulnerable pwaforwp_splashscreen_uploader function
Add to theme's functions.php or custom plugin: add_filter('pwaforwp_splashscreen_uploader', '__return_false');
Restrict file uploads via .htaccess
linuxBlock execution of uploaded files in WordPress uploads directory
Add to .htaccess in wp-content/uploads/: <FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Temporarily disable or remove the PWA for WP & AMP plugin
- Implement strict file upload validation at web application firewall level
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for PWA for WP & AMP version. If version is 1.7.32 or lower, you are vulnerable.Check Version:
wp plugin list --name="PWA for WP & AMP" --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is 1.7.33 or higher in WordPress admin panel. Test file upload functionality with non-image files to confirm validation.📡 Detection & Monitoring
Log Indicators:
- Multiple failed file upload attempts in WordPress logs
- Uploads of non-image files to pwaforwp_splashscreen_uploader endpoint
- POST requests to /wp-admin/admin-ajax.php with action=pwaforwp_splashscreen_uploader
Network Indicators:
- Unusual file uploads to WordPress admin endpoints
- POST requests with file uploads containing PHP code or executable content
SIEM Query:
source="wordpress.log" AND ("pwaforwp_splashscreen_uploader" OR "admin-ajax.php") AND ("upload" OR "file")🔗 References
- https://blog.nintechnet.com/wordpress-pwa-for-wp-and-amp-plugin-fixed-vulnerabilities/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6082791e-feac-41f7-b565-9d98624ddf50?source=cve
- https://blog.nintechnet.com/wordpress-pwa-for-wp-and-amp-plugin-fixed-vulnerabilities/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6082791e-feac-41f7-b565-9d98624ddf50?source=cve
