KEVIntel

Vulnerability detail

Enriched intelligence for a single CVE

Back to KEVs

9.8

CVSS
Critical

CVE-2021-24499

PUBLISHED

Workreap theme < 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution

PoC available Remote Low complexity No user interaction

Vendor: Unknown
Product: Workreap
Published: Aug 09, 2021
EPSS: —

Description

The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.

nuclei_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 7.5

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation status

Proof of concept available

Recorded 2021-09-12 12:43:24 UTC · Source

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
The Shadowserver (via CIRCL)	Jun 11, 2025

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-24499.yaml	Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

j4k0m/CVE-2021-24499

github · Created 2021-09-12 12:43:24 UTC · 17 stars

Mass exploitation of CVE-2021-24499 unauthenticated upload leading to remote code execution in Workreap theme.

Timeline

CVE ID Reserved

January 14, 2021
CVE Published to Public

August 09, 2021
Proof of Concept Exploit Available

September 12, 2021
Detected by Nuclei

April 25, 2025
Added to KEVIntel

June 11, 2025