CVE-2021-24490

Published: Sep 13, 2021Modified: Jun 17, 2026

6.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Exploitability: 0.9 / Impact: 5.9

Source: NVD

Description

The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IIS

Affected (1)

Products: Email Artillery Project: Email Artillery

Email Artillery Project

1 product

Email Artillery

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Email Artillery Project Email Artillery	Up to 4.1

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://wpscan.com/vulnerability/4ea0127e-afef-41bf-a005-c57432f9f58c

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/4ea0127e-afef-41bf-a005-c57432f9f58c

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.