Vulnerability Description
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kaswara Project | Kaswara | <= 3.0.1 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-PaExploitThird Party AdvisoryVDB Entry
- https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477ProductThird Party Advisory
- https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5ExploitThird Party Advisory
- http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-PaExploitThird Party AdvisoryVDB Entry
- https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477ProductThird Party Advisory
- https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5ExploitThird Party Advisory
FAQ
What is CVE-2021-24284?
CVE-2021-24284 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/upl...
How severe is CVE-2021-24284?
CVE-2021-24284 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-24284?
Check the references section above for vendor advisories and patch information. Affected products include: Kaswara Project Kaswara.