Share
## https://sploitus.com/exploit?id=49BCC9DA-43E5-5091-A436-1B26C6C85834
# CVE-2021-4374 Testing Environment
Complete testing package for CVE-2021-4374 (WordPress Automatic Plugin Broken Access Control)
## ๐ฆ Package Contents
```
CVE-2021-4374-Testing-Package/
โโโ README.md # This file
โโโ docker-compose.yml # WordPress + MySQL setup
โโโ CVE-2021-4374.yaml # Nuclei template
โโโ test-script.sh # Automated testing script
โโโ setup-mock-endpoint.sh # Create mock vulnerable endpoint
โโโ TESTING-GUIDE.md # Complete testing instructions
โโโ VENDOR-CONTACT-EMAIL.txt # Email template for vendor
โโโ VALIDATION-REPORT-TEMPLATE.md # Report template
```
## ๐ Quick Start
### Prerequisites
- Docker & Docker Compose v2
- Nuclei scanner v3.0+
- curl (for verification)
### Installation
```bash
# 1. Extract the package
cd CVE-2021-4374-Testing-Package
# 2. Start WordPress environment
docker compose up -d
# 3. Wait 60 seconds for initialization
sleep 60
# 4. Create mock endpoint (for testing without real plugin)
./setup-mock-endpoint.sh
# 5. Run the test
./test-script.sh
```
## ๐ What You Get
### Real WordPress Environment
- WordPress 5.8
- PHP 7.4.27
- Apache 2.4.51
- MySQL 5.7
- Accessible at: http://localhost:8080
### Nuclei Template
- Complete CVE-2021-4374 detection template
- Follows ProjectDiscovery contribution guidelines
- Includes comprehensive metadata
- Ready for submission
### Testing Tools
- Automated test script
- Mock vulnerable endpoint creator
- Validation report generator
## ๐ฏ Testing Scenarios
### Scenario 1: Mock Endpoint Testing
Test template logic without the commercial plugin:
```bash
./setup-mock-endpoint.sh
./test-script.sh
```
### Scenario 2: Real Plugin Testing
If you have WP Automatic Plugin v3.53.2:
1. Complete WordPress setup at http://localhost:8080
2. Install plugin via WordPress admin
3. Run: `./test-script.sh`
## ๐ง Submission
### For ProjectDiscovery
```bash
# Create submission package
tar -czf CVE-2021-4374-submission.tar.gz \
CVE-2021-4374.yaml \
TESTING-GUIDE.md \
validation-results.txt
# Email to: templates@projectdiscovery.io
```
### For ValvePress (Plugin Vendor)
Use the email template in `VENDOR-CONTACT-EMAIL.txt`
## ๐ Expected Results
**With Mock Endpoint:**
```
[CVE-2021-4374][dsl-1] [http] [critical]
http://localhost:8080/wp-content/plugins/wp-automatic/process_form.php
```
**Without Plugin:**
```
No results found (expected - plugin not installed)
```
## ๐งน Cleanup
```bash
# Stop and remove everything
docker compose down -v
```
## ๐ Documentation
See `TESTING-GUIDE.md` for complete step-by-step instructions.
## โ ๏ธ Important Notes
1. **WP Automatic is COMMERCIAL**: Version 3.53.2 requires purchase or vendor permission
2. **Mock testing is LIMITED**: Only validates template logic, not actual vulnerability
3. **Full validation needed**: Real plugin required for complete validation
4. **Submission ready**: Template can be submitted for ProjectDiscovery validation
## ๐ค Contributing
This package is designed for:
- Security researchers validating the template
- ProjectDiscovery team for template validation
- Vendor (ValvePress) for security testing
## ๐ License
This testing package is for security research purposes only.
## ๐ References
- CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-4374
- Blog: https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/
- Nuclei: https://github.com/projectdiscovery/nuclei
- Templates: https://github.com/projectdiscovery/nuclei-templates
---
**Version**: 1.0
**Created**: November 2025
**Status**: Ready for validation