CVE-2021-42362
WordPress Popular Posts <= 5.3.2 Authenticated Arbitrary File UploadThe WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
We have discovered 23,846 live websites that are affected by CVE-2021-42362.
Affected Software
| Product |  WordPress Popular Posts |
| Category | Wordpress Plugins |
| Vulnerable Domains | 23,846 live websites (26.49% of WordPress Popular Posts install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 78 versions ( 60.94% of all versions) |
Common Weakness Enumeration
CWE-434 Unrestricted Upload of File with Dangerous TypeDetails
- Published - Nov 17, 2021
- Updated - Sep 16, 2024
Credits
- Original Researcher: Jerome Bruandet, NinTechNet Exploit Author: Simone Cristofaro (finder)
CWE
CVE References
CWE References
CVE-2021-42362 usage by Country
 United States | 4,148 websites |
 Japan | 13,039 websites |
 Russia | 955 websites |
 Germany | 758 websites |
 France | 484 websites |
 Poland | 456 websites |
 Vietnam | 324 websites |
 Brazil | 230 websites |
 GB | 181 websites |
CVE-2021-42362 usage by TLD
| .com | 12,585 websites |
| .net | 1,939 websites |
| .jp | 1,891 websites |
| .ru | 1,016 websites |
| .org | 699 websites |
| .info | 512 websites |
| .co.jp | 489 websites |
| .pl | 327 websites |
| .de | 300 websites |
| .com.br | 244 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2021-42362
Top websites that are affected by CVE-2021-42362. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *************.uk | United States | *,*** | |
| **********.com | United States | *,*** | |
| ***************.com | United States | **,*** | |
| *******************.com | Japan | **,*** | |
| ********.tokyo | Japan | **,*** | |
| *****.com | United States | **,*** | |
| ******.com | United States | **,*** | |
| ***************.com | United States | **,*** | |
| **************.com | United States | **,*** | |
| ****.com | United States | **,*** |
FAQ
CVE-2021-42362 is Unrestricted Upload of File with Dangerous Type in WordPress Popular Posts
A total of 23,846 websites have been identified as vulnerable to CVE-2021-42362, discovered through global website indexing conducted by WebTechSurvey.
WordPress Popular Posts is susceptible to CVE-2021-42362 vulnerability.
WordPress Popular Posts versions before, and including, 5.3.2 are vulnerable to CVE-2021-42362.
References
- https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42362
- https://plugins.trac.wordpress.org/changeset/2542638/wordpress-popular-posts/trunk/src/Image.php
- https://wpscan.com/vulnerability/bd4f157c-a3d7-4535-a587-0102ba4e3009
- http://packetstormsecurity.com/files/165376/WordPress-Popular-Posts-5.3.2-Remote-Code-Execution.html
- https://github.com/cabrerahector/wordpress-popular-posts/commit/d9b274cf6812eb446e4103cb18f69897ec6fe601