CVE-2021-24222

Published: Apr 12, 2021Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The WP-Curriculo Vitae Free WordPress plugin through 6.3 suffers from an arbitrary file upload issue in page where the [formCadastro] is embed. The form allows unauthenticated user to register and submit files for their profile picture as well as resume, without any file extension restriction, leading to RCE.

Affected (1)

Products: Williamluis: Wp Curriculo Vitae Free

1 product

Wp Curriculo Vitae Free

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Williamluis Wp Curriculo Vitae Free	Up to 6.3

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/jinhuang1102/CVE-ID-Reports/blob/145fc4e34c9b9799275c8e19d6b02f544c88126b/WP_Curriculo_Free.md

Source: contact@wpscan.com

Third Party Advisory

https://wpscan.com/vulnerability/4d715de6-8595-4da9-808a-04a28e409900

Source: contact@wpscan.com

ExploitThird Party Advisory

https://github.com/jinhuang1102/CVE-ID-Reports/blob/145fc4e34c9b9799275c8e19d6b02f544c88126b/WP_Curriculo_Free.md

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://wpscan.com/vulnerability/4d715de6-8595-4da9-808a-04a28e409900

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.