CVE-2021-24490: 
WordPress vulnerability analysis and mitigation

CVE-2021-24490 is a security vulnerability affecting the Email Artillery WordPress plugin versions 4.1 and below. The vulnerability was discovered by Jin Huang and publicly disclosed on August 16, 2021. The issue affects the Import Emails feature of the plugin, which lacks proper file upload validation and CSRF protection (WPScan).

The vulnerability stems from improper file upload validation in the Import Emails feature, accessible via '/wp-admin/admin.php?page=etmbu-import-email-manual'. The plugin fails to implement proper file type checks during file uploads and lacks Cross-Site Request Forgery (CSRF) protection, making it susceptible to both arbitrary file upload and CSRF attacks. However, the impact is partially mitigated by a .htaccess configuration that restricts access to the upload directory, making the uploaded malicious files only accessible on certain web servers like Nginx/IIS (WPScan).

The vulnerability allows authenticated administrators to upload arbitrary files to the server through the Import Emails feature. When combined with the CSRF vulnerability, this could potentially be exploited to upload malicious files without direct user interaction. However, the impact is somewhat limited by the .htaccess protection on the upload directory (WPScan).

As of the last update, there is no known fix available for this vulnerability in the Email Artillery plugin (WPScan).