8.8
CVE-2022-1329
- EPSS 93.48%
- Veröffentlicht 19.04.2022 21:15:13
- Zuletzt bearbeitet 21.11.2024 06:40:30
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginElementor Website Builder 3.6.0 - 3.6.2 - Missing Authorization to Remote Code Execution
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
Mögliche Gegenmaßnahme
Elementor Website Builder – More Than Just a Page Builder: Update to version 3.6.3, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Elementor Website Builder – More Than Just a Page Builder
Version
3.6.0-3.6.2
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Elementor ≫ Website Builder SwPlatformwordpress Version >= 3.6.0 <= 3.6.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 93.48% | 0.998 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
| security@wordfence.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.