CVE-2021-24252— Event Banner <= 1.3 - Arbitrary File Upload to RCE
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-24252
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Event Banner <= 1.3 - Arbitrary File Upload to RCE
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
危险类型文件的不加限制上传
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress插件Event Banner 1.3版本及之前版本存在安全漏洞,该漏洞允许管理员帐户上传任意文件,如.exe, .php或其他可执行文件,从而导致RCE。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Unknown | Event Banner | 1.3 ~ 1.3 | - |
II. Public POCs for CVE-2021-24252
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-24252
请登录查看更多情报信息。
- https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7cx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2021-24252
Same Patch Batch · Unknown · 2021-05-05 · 21 CVEs total
| CVE-2021-24272 | Fitness Calculators < 1.9.6 - Cross-Site Request Forgery to Cross-Site Scripting (XSS) | |
| CVE-2021-24256 | Elementor - Header, Footer & Blocks Template < 1.5.8 - Contributor+ Stored XSS | |
| CVE-2021-24255 | Essential Addons for Elementor < 4.5.4 - Contributor+ Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24264 | Image Hover Effects - Elementor Addon < 1.3.4 - Contributor+ Stored XSS | |
| CVE-2021-24263 | PowerPack Addons for Elementor < 2.3.2 - Contributor+ Stored XSS | |
| CVE-2021-24262 | WooLentor - WooCommerce Elementor Addons + Builder < 1.8.6 - Contributor+ Stored XSS | |
| CVE-2021-24261 | HT Mega - Absolute Addons for Elementor Page Builder < 1.5.7 - Contributor+ Stored XSS | |
| CVE-2021-24260 | Livemesh Addons for Elementor < 6.8 - Contributor+ Stored XSS | |
| CVE-2021-24259 | Elementor Addon Elements < 1.11.2 - Contributor+ Stored XSS | |
| CVE-2021-24257 | Premium Addons for Elementor < 4.2.8 - Contributor+ Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24254 | College Publisher Import <= 0.1 - Arbitrary File Upload to RCE | |
| CVE-2021-24271 | Ultimate Addons for Elementor < 1.30.0 - Contributor+ Stored XSS | |
| CVE-2021-24270 | DethemeKit For Elementor < 1.5.5.5 - Contributor+ Stored XSS | |
| CVE-2021-24269 | Sina Extension for Elementor < 3.3.12 - Contributor+ Stored XSS | |
| CVE-2021-24268 | JetWidgets For Elementor < 1.0.9 - Contributor+ Stored XSS | |
| CVE-2021-24267 | All-in-One Addons for Elementor - WidgetKit < 2.3.10 - Contributor+ Stored XSS | |
| CVE-2021-24266 | The Plus Addons for Elementor Page Builder Lite < 2.0.6 - Contributor+ Stored XSS | |
| CVE-2021-24265 | Rife Elementor Extensions & Templates < 1.1.6 - Contributor+ Stored XSS | |
| CVE-2021-24293 | NextGEN Gallery Pro < 3.1.11 - Reflected Cross-Site Scripting (XSS) | |
| CVE-2021-24253 | Classyfrieds <= 3.8 - Authenticated Arbitrary File Upload to RCE |
IV. Related Vulnerabilities
Same vendor: Unknown
- CVE-2026-6433
Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection t - CVE-2026-4935
SureTriggers < 1.1.23 – Unauthenticated SQLi - CVE-2026-5335
Magic Export & Import < 1.2.0 - Unauthenticated PII Disclosu - CVE-2026-5337
Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary - CVE-2026-5306
Check & Log Email < 2.0.13 - Unauthenticated Stored XSS
Same weakness: CWE-434
- CVE-2021-47943
TextPattern CMS 4.8.7 Remote Code Execution via File Upload - CVE-2021-47937
e107 CMS 2.3.0 Authenticated Remote Code Execution via Theme - CVE-2026-41517
Emlog: Remote Code Execution via Malicious Plugin Upload - CVE-2026-6692
Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber - CVE-2026-41587
CI4MS: Unrestricted PHP File Upload via Theme Installation L
V. Comments for CVE-2021-24252
No comments yet