CVE-2021-39352 Vulnerability Details

  /     /     /  

CVE-2021-39352 Metadata Quick Info

CVE Published: 21/10/2021 | CVE Updated: 16/09/2024 | CVE Year: 2021
Source: Wordfence | Vendor: Catch Themes Demo Import | Product: Catch Themes Demo Import
Status : PUBLISHED

---

CVE-2021-39352 Description

The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.

Metrics

CVSS Version: 3.1 | Base Score: 7.2 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* HIGH
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-434
CWE Name: CWE-434 Unrestricted Upload of File with Dangerous Type
Source: Catch Themes Demo Import

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).