KEVIntel

Vulnerability detail

Enriched intelligence for a single CVE

Back to KEVs

9.8

CVSS
Critical

CVE-2021-25003

PUBLISHED

WPCargo < 6.9.0 - Unauthenticated RCE

Exploited in the wild PoC available Remote Low complexity No user interaction

Vendor: Unknown
Product: WPCargo Track & Trace
Published: Mar 14, 2022
EPSS: —

Description

The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE

wordpress php nuclei_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 7.5

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation status

Exploited in the wild

Recorded 2025-04-28 00:00:00 UTC · Source

Proof of concept available

Recorded 2022-06-26 13:07:47 UTC · Source

References

https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
The Shadowserver (via CIRCL)	Apr 28, 2025

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-25003.yaml	Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

biulove0x/CVE-2021-25003

github · Created 2022-06-26 13:07:47 UTC · 5 stars

WPCargo < 6.9.0 - Unauthenticated RCE

Timeline

CVE ID Reserved

January 14, 2021
CVE Published to Public

March 14, 2022
Proof of Concept Exploit Available

June 26, 2022
Detected by Nuclei

April 25, 2025
Added to KEVIntel

April 28, 2025