7.2
CVE-2021-24254
- EPSS 1.84%
- Veröffentlicht 06.05.2021 13:15:11
- Zuletzt bearbeitet 21.11.2024 05:52:41
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginCollege Publisher Import <= 0.1 - Arbitrary File Upload to RCE
College publisher Import <= 0.1 - Arbitrary File Upload
The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be exploited via a CSRF attack.
Mögliche Gegenmaßnahme
College publisher Import: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
College Publisher Import Project ≫ College Publisher Import SwPlatformwordpress Version <= 0.1
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
College publisher Import
Version
*-0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.84% | 0.763 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/College%20Puglisher%20Import.md
https://wpscan.com/vulnerability/bb3e56dd-ae2e-45c2-a6c9-a59ae5fc1dc4
https://www.wordfence.com/threat-intel/vulnerabilities/id/b2849cb5-9277-460d-a429-6253c98c1554