7.2
CVE-2021-39352
- EPSS 75.59%
- Veröffentlicht 21.10.2021 20:15:08
- Zuletzt bearbeitet 21.11.2024 06:19:23
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginCatch Themes Demo Import <= 1.7 - Arbitrary File Upload
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.
Mögliche Gegenmaßnahme
Catch Themes Demo Import: Update to version 1.8, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Catch Themes Demo Import
Version
*-1.7
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Catchplugins ≫ Catch Themes Demo Import SwPlatformwordpress Version <= 1.7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 75.59% | 0.988 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
| security@wordfence.com | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.