CVE-2021-24493

Published: Sep 13, 2021Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The shopp_upload_file AJAX action of the Shopp WordPress plugin through 1.4, available to both unauthenticated and authenticated user does not have any security measure in place to prevent upload of malicious files, such as PHP, allowing unauthenticated users to upload arbitrary files and leading to RCE

Affected (1)

Products: Ingenesis: Shopp

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ingenesis Shopp	Up to 1.4

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://wpscan.com/vulnerability/dcc7be04-550b-427a-a14f-a2365d96a00e

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/dcc7be04-550b-427a-a14f-a2365d96a00e

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.