Back to KEVs

CVE-2021-34624

ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in File Uploader Component

Basic Information

CVE State
PUBLISHED
Reserved Date
June 10, 2021
Published Date
July 07, 2021
Last Updated
October 15, 2024
Vendor
ProfilePress
Product
ProfilePress
Description
A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .
Tags
wordpress php

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score
0.92% (Percentile: 74.88%) as of 2025-06-13

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-06-11 00:00:00 UTC) Source

References

https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-06-12 12:00:25 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel