CVE-2021-24284
N/A
N/A
Summary
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SayenThemes | Kaswara Modern VC Addons | 3.0.1 <= 3.0.1 | affected |
Weaknesses
- CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type
ADP Enrichment
CVE Program Container
Additional References
- https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
- https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477
- http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html
References
- https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
- https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477
- http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.