7.2
CVE-2021-24254
- EPSS 0.91%
- Veröffentlicht 06.05.2021 13:15:11
- Zuletzt bearbeitet 21.11.2024 05:52:41
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginCollege publisher Import <= 0.1 - Arbitrary File Upload
The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be exploited via a CSRF attack.
Mögliche Gegenmaßnahme
College publisher Import: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
College publisher Import
Version
*-0.1
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
College Publisher Import Project ≫ College Publisher Import SwPlatformwordpress Version <= 0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.91% | 0.751 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.