CVE-2021-42362: WordPress Popular Posts RCE Vulnerability

CVE-2021-42362 Overview

The WordPress Popular Posts plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation in the ~/src/Image.php file. This vulnerability affects versions up to and including 5.3.2 and allows attackers with contributor level access and above to upload malicious files that can be used to achieve remote code execution on the affected WordPress installation.

Critical Impact
Authenticated attackers with contributor-level permissions can upload malicious PHP files to gain complete server compromise and remote code execution capabilities.

Affected Products

WordPress Popular Posts versions up to and including 5.3.2
WordPress installations running the vulnerable plugin versions
Any WordPress site with contributor or higher user roles on vulnerable installations

Discovery Timeline

2021-11-17 - CVE-2021-42362 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-42362

Vulnerability Analysis

This arbitrary file upload vulnerability (CWE-434) stems from improper input validation in the image handling functionality of the WordPress Popular Posts plugin. The Image.php file fails to adequately verify that URLs provided for external image fetching actually point to legitimate image files before processing and storing them on the server.

When the plugin fetches external images, it does not validate the content type or file extension properly, allowing attackers to bypass intended restrictions. An attacker with at least contributor-level access can exploit this flaw to upload arbitrary files, including PHP scripts, which can then be executed on the server to achieve remote code execution.

The vulnerability is particularly dangerous in WordPress environments where contributor accounts are commonly granted to multiple users, as it provides a low-barrier attack surface for privilege escalation and full server compromise.

Root Cause

The root cause lies in the fetch_external_image() function within src/Image.php, which processes external image URLs without first verifying that the URL actually points to a valid image file. The function accepts user-supplied URLs and downloads content to the server's uploads directory, trusting that the content is an image without performing adequate validation checks.

Attack Vector

The attack is network-based and requires authentication with at least contributor-level privileges on the WordPress installation. An attacker can exploit this vulnerability by:

Authenticating to the WordPress site with contributor or higher privileges
Crafting a malicious URL that points to a PHP webshell or other malicious script
Submitting this URL through the plugin's image fetching functionality
The plugin downloads and stores the malicious file without proper validation
Accessing the uploaded malicious file directly to execute arbitrary code on the server

php

      */
     private function fetch_external_image($id, $url)
     {
+        if ( ! $this->is_image_url($url) )
+            return false;
+
         $full_image_path = trailingslashit($this->get_plugin_uploads_dir()['basedir']) . "{$id}_" . sanitize_file_name(rawurldecode(wp_basename($url)));

         // if the file exists already, return URL and path

Source: GitHub Commit for Plugin

The patch adds a critical validation check using is_image_url() that verifies the URL points to an actual image before proceeding with the download operation.

Detection Methods for CVE-2021-42362

Indicators of Compromise

Unexpected PHP files or files with double extensions in the WordPress Popular Posts uploads directory
Web server access logs showing requests to unusual files within the plugin's upload paths
New or modified files in /wp-content/uploads/wordpress-popular-posts/ with non-image extensions
Anomalous outbound network connections from the web server following file uploads

Detection Strategies

Monitor file system changes in WordPress plugin upload directories for non-image file types
Implement web application firewall (WAF) rules to detect suspicious file upload attempts
Review WordPress user accounts for unexpected contributor or higher-level privileges
Analyze web server logs for POST requests to WordPress Popular Posts endpoints followed by suspicious GET requests

Monitoring Recommendations

Enable file integrity monitoring on WordPress upload directories
Configure alerting for new file creations with executable extensions in plugin directories
Monitor for unusual PHP process spawning patterns that may indicate webshell activity
Implement logging for all authenticated user actions within WordPress admin interfaces

How to Mitigate CVE-2021-42362

Immediate Actions Required

Update WordPress Popular Posts plugin to version 5.3.3 or later immediately
Audit the WordPress Popular Posts uploads directory for any suspicious or unexpected files
Review and restrict contributor-level user accounts to only trusted individuals
Consider temporarily disabling the plugin if immediate patching is not possible

Patch Information

The vulnerability has been addressed in WordPress Popular Posts version 5.3.3 and later. The fix implements proper URL validation using the is_image_url() function before processing external image requests. The patch ensures that only legitimate image URLs are accepted by the fetch_external_image() function.

For detailed information about the security fix, refer to the WordPress Trac Changeset and the GitHub Commit for Plugin.

Workarounds

Restrict contributor and author role permissions using WordPress role management plugins
Implement server-side file upload restrictions to block PHP and other executable file types in upload directories
Configure web server to deny direct execution of PHP files in the plugin's uploads directory
Deploy a web application firewall with rules to detect and block arbitrary file upload attempts

bash

# Apache .htaccess configuration to prevent PHP execution in uploads
# Add to /wp-content/uploads/wordpress-popular-posts/.htaccess
<FilesMatch "\.(?:php|phtml|php[0-9])$">
    Require all denied
</FilesMatch>

CVE-2021-42362 Overview

Critical Impact
Authenticated attackers with contributor-level permissions can upload malicious PHP files to gain complete server compromise and remote code execution capabilities.

Affected Products

WordPress Popular Posts versions up to and including 5.3.2
WordPress installations running the vulnerable plugin versions
Any WordPress site with contributor or higher user roles on vulnerable installations

Discovery Timeline

2021-11-17 - CVE-2021-42362 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-42362

Vulnerability Analysis

Root Cause

Attack Vector

The attack is network-based and requires authentication with at least contributor-level privileges on the WordPress installation. An attacker can exploit this vulnerability by:

Authenticating to the WordPress site with contributor or higher privileges
Crafting a malicious URL that points to a PHP webshell or other malicious script
Submitting this URL through the plugin's image fetching functionality
The plugin downloads and stores the malicious file without proper validation
Accessing the uploaded malicious file directly to execute arbitrary code on the server

php

      */
     private function fetch_external_image($id, $url)
     {
+        if ( ! $this->is_image_url($url) )
+            return false;
+
         $full_image_path = trailingslashit($this->get_plugin_uploads_dir()['basedir']) . "{$id}_" . sanitize_file_name(rawurldecode(wp_basename($url)));

         // if the file exists already, return URL and path

Source: GitHub Commit for Plugin

The patch adds a critical validation check using is_image_url() that verifies the URL points to an actual image before proceeding with the download operation.

Detection Methods for CVE-2021-42362

Indicators of Compromise

Unexpected PHP files or files with double extensions in the WordPress Popular Posts uploads directory
Web server access logs showing requests to unusual files within the plugin's upload paths
New or modified files in /wp-content/uploads/wordpress-popular-posts/ with non-image extensions
Anomalous outbound network connections from the web server following file uploads

Detection Strategies

Monitor file system changes in WordPress plugin upload directories for non-image file types
Implement web application firewall (WAF) rules to detect suspicious file upload attempts
Review WordPress user accounts for unexpected contributor or higher-level privileges
Analyze web server logs for POST requests to WordPress Popular Posts endpoints followed by suspicious GET requests

Monitoring Recommendations

Enable file integrity monitoring on WordPress upload directories
Configure alerting for new file creations with executable extensions in plugin directories
Monitor for unusual PHP process spawning patterns that may indicate webshell activity
Implement logging for all authenticated user actions within WordPress admin interfaces

How to Mitigate CVE-2021-42362

Immediate Actions Required

Update WordPress Popular Posts plugin to version 5.3.3 or later immediately
Audit the WordPress Popular Posts uploads directory for any suspicious or unexpected files
Review and restrict contributor-level user accounts to only trusted individuals
Consider temporarily disabling the plugin if immediate patching is not possible

Patch Information

For detailed information about the security fix, refer to the WordPress Trac Changeset and the GitHub Commit for Plugin.

Workarounds

Restrict contributor and author role permissions using WordPress role management plugins
Implement server-side file upload restrictions to block PHP and other executable file types in upload directories
Configure web server to deny direct execution of PHP files in the plugin's uploads directory
Deploy a web application firewall with rules to detect and block arbitrary file upload attempts

bash

# Apache .htaccess configuration to prevent PHP execution in uploads
# Add to /wp-content/uploads/wordpress-popular-posts/.htaccess
<FilesMatch "\.(?:php|phtml|php[0-9])$">
    Require all denied
</FilesMatch>

CVE-2021-42362: WordPress Popular Posts RCE Vulnerability

CVE-2021-42362 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-42362

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-42362

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-42362

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-42362: WordPress Popular Posts RCE Vulnerability

CVE-2021-42362 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-42362

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-42362

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-42362

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform