CVE-2021-4443
📋 TL;DR
This vulnerability allows unauthenticated attackers to create arbitrary PHP files on WordPress sites using the vulnerable Mega Menu plugin. Attackers can execute malicious code, potentially taking full control of affected websites. All WordPress sites running the vulnerable plugin version are affected.
💻 Affected Systems
- WordPress Mega Menu (QuadMenu) plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, malware distribution, defacement, or ransomware deployment.
Likely Case
Website takeover, backdoor installation, credential theft, and unauthorized administrative access.
If Mitigated
Limited impact if web application firewall blocks malicious requests or file permissions restrict PHP execution.
🎯 Exploit Status
Exploitation is straightforward with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.7 and later
Vendor Advisory: https://wordpress.org/plugins/quadmenu/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'QuadMenu' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.0.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allBlock access to the vulnerable compiler_save AJAX action via .htaccess or web server configuration
# Add to .htaccess:
RewriteCond %{QUERY_STRING} action=compiler_save [NC]
RewriteRule .* - [F,L]
Deactivate plugin
linuxTemporarily disable the Mega Menu plugin until patched
wp plugin deactivate quadmenu
🧯 If You Can't Patch
- Implement web application firewall rules to block requests containing 'compiler_save' parameter
- Restrict file permissions in WordPress uploads directory to prevent PHP execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → QuadMenu version. If version ≤2.0.6, system is vulnerable.Check Version:
wp plugin get quadmenu --field=versionVerify Fix Applied:
Confirm QuadMenu plugin version is 2.0.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=compiler_save' parameter
- Unexpected PHP file creation in wp-content/uploads/ directory
Network Indicators:
- HTTP requests with 'action=compiler_save' parameter to WordPress AJAX endpoint
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=compiler_save*"