CVE-2021-24171: 
WordPress vulnerability analysis and mitigation

The WooCommerce Upload Files WordPress plugin before version 59.4 contained a critical vulnerability (CVE-2021-24171) that allowed for unauthenticated arbitrary file upload. The vulnerability was discovered in early 2021 and affected the file upload functionality of the plugin (WPScan, CVE Mitre).

The vulnerability stemmed from insufficient file extension sanitization. The plugin implemented a single sanitization pass to remove blocked extensions like .php, but this could be bypassed through two methods: by embedding a blocked extension within another blocked extension in the 'wcuffilename' parameter, and by performing a double extension attack using the 'wcufcurrentuploadsessionid' parameter for path traversal. The vulnerability was classified as CWE-434 and received a CVSS score of 9.8 (Critical) (WPScan).

This vulnerability could allow attackers to upload malicious PHP files to the server, potentially leading to Remote Code Execution (RCE). The critical CVSS score of 9.8 indicates the severe potential impact on affected systems (WPScan).

The vulnerability was patched in version 59.4 of the WooCommerce Upload Files plugin. Site administrators were advised to update to this version immediately to protect their installations (WPScan).