CVE-2021-24620

Published: Sep 13, 2021Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE

Affected (1)

Products: Simple E Commerce Shopping Cart Project: Simple E Commerce Shopping Cart

Simple E Commerce Shopping Cart Project

1 product

Simple E Commerce Shopping Cart

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Simple E Commerce Shopping Cart Project Simple E Commerce Shopping Cart	Up to 2.2.5

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://wpscan.com/vulnerability/1f2b3c4a-f7e9-4d22-b71e-f6b051fd8349

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/1f2b3c4a-f7e9-4d22-b71e-f6b051fd8349

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.