CVE-2021-24222
moderate-risk
Published 2021-04-12
The WP-Curriculo Vitae Free WordPress plugin through 6.3 suffers from an arbitrary file upload issue in page where the [formCadastro] is embed. The form allows unauthenticated user to register and submit files for their profile picture as well as resume, without any file extension restriction, leading to RCE.
Do I need to act?
~
5.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Wp-Curriculo Vitae Free
Affected Vendors
References (4)
Third Party Advisory
https://github.com/jinhuang1102/CVE-ID-Reports/blob/145fc4e34c9b9799275c8e19d6b0...
Third Party Advisory
https://github.com/jinhuang1102/CVE-ID-Reports/blob/145fc4e34c9b9799275c8e19d6b0...
46
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
9/34 · Low
Exposure
5/34 · Minimal