6.5

CVE-2024-13691

Uncode <= 2.9.1.6 - Authenticated (Subscriber+) Arbitrary File Read in uncode_recordMedia

Uncode <= 2.9.1.6 - Authenticated (Subscriber+) Arbitrary File Read in uncode_recordMedia

The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_recordMedia' function in all versions up to, and including, 2.9.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server.
Mögliche Gegenmaßnahme
Uncode: Update to version 2.9.1.7, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
UndsgnUncode SwPlatformwordpress Version < 2.9.1.7
Weitere Schwachstelleninformationen
SystemWordPress Theme
Produkt Uncode
Version *-2.9.1.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.282
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@wordfence.com 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://support.undsgn.com/hc/en-us/articles/213454129-Change-Log
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/d592141d-191b-4739-bc0a-07549ef2f31b?source=cve
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/d592141d-191b-4739-bc0a-07549ef2f31b
Third Party Advisory