CVE-2021-25119: 
WordPress vulnerability analysis and mitigation

The AGIL WordPress plugin through version 1.0 contains an arbitrary file upload vulnerability (CVE-2021-25119). The vulnerability was discovered by Chuang LI and publicly disclosed on April 19, 2022. The plugin accepts and automatically extracts all zip files without validating the extracted file types, affecting the automatic-grid-image-listing plugin (WPScan).

The vulnerability exists in the Grid Image Listing functionality of the plugin. When an administrator sets a base folder name and uploads a zip file through the plugin's interface at /wp-admin/admin.php?page=automatic_grid_image_listing, the plugin extracts the contents without performing proper file type validation. The extracted files are placed in the wp-content directory under the specified base folder name (WPScan).

This vulnerability allows authenticated users with administrative privileges to upload arbitrary files, including PHP files, potentially leading to Remote Code Execution (RCE) on the affected WordPress installation. The uploaded malicious files would be accessible via the WordPress content directory (WPScan).

As of the vulnerability disclosure, there is no known fix available for this issue. Site administrators using the AGIL WordPress plugin should consider removing or disabling the plugin until a security patch is released (WPScan).