CVE-2021-24493: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2021-24493) affects the Shopp WordPress plugin through version 1.4. Discovered and publicly disclosed on August 17, 2021, this security flaw exists in the shoppuploadfile AJAX action of the plugin. The vulnerability affects both authenticated and unauthenticated users, making it particularly severe (WPScan).

The vulnerability is characterized by a complete lack of security measures in the shoppuploadfile AJAX action, which allows for unrestricted file uploads. It has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability allows unauthenticated users to upload arbitrary files, including malicious PHP files, which can lead to Remote Code Execution (RCE) on the affected system. This level of access could potentially give attackers complete control over the WordPress installation (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. Users of the Shopp WordPress plugin version 1.4 or earlier should consider removing the plugin until a security patch is released (WPScan).