CVE-2021-4436
📋 TL;DR
CVE-2021-4436 is an unauthenticated arbitrary file upload vulnerability in the 3DPrint Lite WordPress plugin. Attackers can upload malicious files to vulnerable WordPress sites without authentication. All WordPress sites using affected versions of the 3DPrint Lite plugin are vulnerable.
💻 Affected Systems
- 3DPrint Lite WordPress Plugin
📦 What is this software?
3dprint Lite by Wp3dprinting
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and website defacement if uploaded files can be executed.
Likely Case
File upload leading to webshell deployment, limited by .htaccess restrictions on Apache servers, but still enabling malicious file storage.
If Mitigated
Uploaded files remain inaccessible due to .htaccess restrictions, preventing direct exploitation while still allowing unauthorized file storage.
🎯 Exploit Status
Simple HTTP POST request to vulnerable endpoint with malicious file payload. Public exploit scripts available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.1.5
Vendor Advisory: https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 3DPrint Lite plugin. 4. Click 'Update Now' if update available. 5. If no update available, manually download version 1.9.1.5+ from WordPress repository.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allBlock access to the p3dlite_handle_upload AJAX action via web server configuration
# Apache .htaccess
RewriteRule ^wp-admin/admin-ajax\.php\?action=p3dlite_handle_upload - [F,L]
# Nginx
location ~* /wp-admin/admin-ajax\.php\?action=p3dlite_handle_upload { deny all; }
Disable plugin
linuxTemporarily disable 3DPrint Lite plugin until patched
wp plugin deactivate 3dprint-lite
🧯 If You Can't Patch
- Disable the 3DPrint Lite plugin immediately
- Implement web application firewall rules to block requests to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version: wp plugin list | grep 3dprint-liteCheck Version:
wp plugin get 3dprint-lite --field=versionVerify Fix Applied:
Verify plugin version is 1.9.1.5 or higher: wp plugin get 3dprint-lite --field=version📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=p3dlite_handle_upload
- Large file uploads to WordPress admin-ajax endpoint
- Multiple failed upload attempts from single IP
Network Indicators:
- HTTP POST to admin-ajax.php with file upload parameters
- Unusual file types (php, exe, etc.) being uploaded to WordPress
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="p3dlite_handle_upload"