Share
## https://sploitus.com/exploit?id=49BCC9DA-43E5-5091-A436-1B26C6C85834
# CVE-2021-4374 Testing Environment

Complete testing package for CVE-2021-4374 (WordPress Automatic Plugin Broken Access Control)

## ๐Ÿ“ฆ Package Contents

```
CVE-2021-4374-Testing-Package/
โ”œโ”€โ”€ README.md                           # This file
โ”œโ”€โ”€ docker-compose.yml                  # WordPress + MySQL setup
โ”œโ”€โ”€ CVE-2021-4374.yaml                  # Nuclei template
โ”œโ”€โ”€ test-script.sh                      # Automated testing script
โ”œโ”€โ”€ setup-mock-endpoint.sh              # Create mock vulnerable endpoint
โ”œโ”€โ”€ TESTING-GUIDE.md                    # Complete testing instructions
โ”œโ”€โ”€ VENDOR-CONTACT-EMAIL.txt            # Email template for vendor
โ””โ”€โ”€ VALIDATION-REPORT-TEMPLATE.md       # Report template
```

## ๐Ÿš€ Quick Start

### Prerequisites
- Docker & Docker Compose v2
- Nuclei scanner v3.0+
- curl (for verification)

### Installation

```bash
# 1. Extract the package
cd CVE-2021-4374-Testing-Package

# 2. Start WordPress environment
docker compose up -d

# 3. Wait 60 seconds for initialization
sleep 60

# 4. Create mock endpoint (for testing without real plugin)
./setup-mock-endpoint.sh

# 5. Run the test
./test-script.sh
```

## ๐Ÿ“ What You Get

### Real WordPress Environment
- WordPress 5.8
- PHP 7.4.27
- Apache 2.4.51
- MySQL 5.7
- Accessible at: http://localhost:8080

### Nuclei Template
- Complete CVE-2021-4374 detection template
- Follows ProjectDiscovery contribution guidelines
- Includes comprehensive metadata
- Ready for submission

### Testing Tools
- Automated test script
- Mock vulnerable endpoint creator
- Validation report generator

## ๐ŸŽฏ Testing Scenarios

### Scenario 1: Mock Endpoint Testing
Test template logic without the commercial plugin:
```bash
./setup-mock-endpoint.sh
./test-script.sh
```

### Scenario 2: Real Plugin Testing
If you have WP Automatic Plugin v3.53.2:
1. Complete WordPress setup at http://localhost:8080
2. Install plugin via WordPress admin
3. Run: `./test-script.sh`

## ๐Ÿ“ง Submission

### For ProjectDiscovery
```bash
# Create submission package
tar -czf CVE-2021-4374-submission.tar.gz \
  CVE-2021-4374.yaml \
  TESTING-GUIDE.md \
  validation-results.txt

# Email to: templates@projectdiscovery.io
```

### For ValvePress (Plugin Vendor)
Use the email template in `VENDOR-CONTACT-EMAIL.txt`

## ๐Ÿ“Š Expected Results

**With Mock Endpoint:**
```
[CVE-2021-4374][dsl-1] [http] [critical]
http://localhost:8080/wp-content/plugins/wp-automatic/process_form.php
```

**Without Plugin:**
```
No results found (expected - plugin not installed)
```

## ๐Ÿงน Cleanup

```bash
# Stop and remove everything
docker compose down -v
```

## ๐Ÿ“– Documentation

See `TESTING-GUIDE.md` for complete step-by-step instructions.

## โš ๏ธ Important Notes

1. **WP Automatic is COMMERCIAL**: Version 3.53.2 requires purchase or vendor permission
2. **Mock testing is LIMITED**: Only validates template logic, not actual vulnerability
3. **Full validation needed**: Real plugin required for complete validation
4. **Submission ready**: Template can be submitted for ProjectDiscovery validation

## ๐Ÿค Contributing

This package is designed for:
- Security researchers validating the template
- ProjectDiscovery team for template validation
- Vendor (ValvePress) for security testing

## ๐Ÿ“„ License

This testing package is for security research purposes only.

## ๐Ÿ”— References

- CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-4374
- Blog: https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/
- Nuclei: https://github.com/projectdiscovery/nuclei
- Templates: https://github.com/projectdiscovery/nuclei-templates

---

**Version**: 1.0  
**Created**: November 2025  
**Status**: Ready for validation