CVE-2021-24222— WP-Curricul Vitea Free <= 6.3 - Unauthenticated Arbitrary File Upload to RCE
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-24222
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WP-Curricul Vitea Free <= 6.3 - Unauthenticated Arbitrary File Upload to RCE
Source: NVD (National Vulnerability Database)
Vulnerability Description
The WP-Curriculo Vitae Free WordPress plugin through 6.3 suffers from an arbitrary file upload issue in page where the [formCadastro] is embed. The form allows unauthenticated user to register and submit files for their profile picture as well as resume, without any file extension restriction, leading to RCE.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
危险类型文件的不加限制上传
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress 插件 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress 插件是WordPress开源的一个应用插件。 WP-Curriculo Vitae Free WordPress插件 6.3版本存在代码问题漏洞,该漏洞源于表单允许未经身份验证的用户注册和提交他们的头像和简历文件,没有任何文件扩展名限制,导致RCE。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Unknown | WP-Curriculo Vitae Free | 6.3 ~ 6.3 | - |
II. Public POCs for CVE-2021-24222
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-24222
请登录查看更多情报信息。
- https://wpscan.com/vulnerability/4d715de6-8595-4da9-808a-04a28e409900x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2021-24222
Same Patch Batch · Unknown · 2021-04-12 · 14 CVEs total
| CVE-2021-24231 | Patreon WordPress < 1.7.0 - CSRF to Disconnect Sites From Patreon | |
| CVE-2021-24230 | Patreon WordPress < 1.7.0 - CSRF to Overwrite/Create User Meta | |
| CVE-2021-24229 | Patreon WordPress < 1.7.2 - Reflected XSS on patreon_save_attachment_patreon_level AJAX ac | |
| CVE-2021-24228 | Patreon WordPress < 1.7.2 - Reflected XSS on Login Form | |
| CVE-2021-24227 | Patreon WordPress < 1.7.0 - Unauthenticated Local File Disclosure | |
| CVE-2021-24226 | AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage | |
| CVE-2021-24225 | Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS) | |
| CVE-2021-24224 | Easy Form Builder <= 1.0 - Authenticated Arbitrary File Upload | |
| CVE-2021-24223 | N5 Upload Form <= 1.0 - Unauthenticated Arbitrary File Upload to RCE | |
| CVE-2021-24221 | Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode | |
| CVE-2021-24218 | Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion | |
| CVE-2021-24217 | Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain | |
| CVE-2021-24215 | Controlled Admin Access < 1.5.2 - Improper Access Control & Privilege Escalation |
IV. Related Vulnerabilities
Same vendor: Unknown
- CVE-2026-6433
Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection t - CVE-2026-4935
SureTriggers < 1.1.23 – Unauthenticated SQLi - CVE-2026-5335
Magic Export & Import < 1.2.0 - Unauthenticated PII Disclosu - CVE-2026-5337
Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary - CVE-2026-5306
Check & Log Email < 2.0.13 - Unauthenticated Stored XSS
Same weakness: CWE-434
- CVE-2021-47943
TextPattern CMS 4.8.7 Remote Code Execution via File Upload - CVE-2021-47937
e107 CMS 2.3.0 Authenticated Remote Code Execution via Theme - CVE-2026-41517
Emlog: Remote Code Execution via Malicious Plugin Upload - CVE-2026-6692
Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber - CVE-2026-41587
CI4MS: Unrestricted PHP File Upload via Theme Installation L
V. Comments for CVE-2021-24222
No comments yet