Search criteria
6 vulnerabilities found for kaswara by kaswara_project
FKIE_CVE-2021-4448
Vulnerability from fkie_nvd - Published: 2024-10-16 07:15 - Updated: 2024-10-30 18:18
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| kaswara_project | kaswara | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8B9EF5A0-624E-4C09-8DB5-8DD87CFF3FFA",
"versionEndIncluding": "3.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more."
},
{
"lang": "es",
"value": "El complemento Kaswara Modern VC Addons para WordPress es vulnerable a la omisi\u00f3n de autorizaci\u00f3n en versiones hasta la 3.0.1 incluida debido a una comprobaci\u00f3n insuficiente de la capacidad en varias acciones AJAX. Esto permite que atacantes no autenticados realicen una amplia variedad de acciones no autorizadas, como importar datos, cargar archivos arbitrarios, eliminar archivos arbitrarios y m\u00e1s."
}
],
"id": "CVE-2021-4448",
"lastModified": "2024-10-30T18:18:58.743",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-16T07:15:10.980",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Not Applicable"
],
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf76527-9a11-4755-992c-02fbc1a79bae?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-24284
Vulnerability from fkie_nvd - Published: 2021-05-14 12:15 - Updated: 2024-11-21 05:52
Severity ?
Summary
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html | Exploit, Third Party Advisory, VDB Entry | |
| contact@wpscan.com | https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477 | Product, Third Party Advisory | |
| contact@wpscan.com | https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477 | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| kaswara_project | kaswara | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8B9EF5A0-624E-4C09-8DB5-8DD87CFF3FFA",
"versionEndIncluding": "3.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the \u0027uploadFontIcon\u0027 AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP."
},
{
"lang": "es",
"value": "El plugin de WordPress Kaswara Modern VC Addons versiones hasta 3.0.1, permite la carga de archivos arbitrarios no autenticados mediante la acci\u00f3n AJAX \"uploadFontIcon\".\u0026#xa0;El archivo zip proporcionado est\u00e1 siendo descomprimido en el directorio wp-content/uploads/kaswara/fonts_icon sin comprobaci\u00f3n de archivos maliciosos como PHP"
}
],
"id": "CVE-2021-24284",
"lastModified": "2024-11-21T05:52:45.527",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-14T12:15:08.387",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html"
},
{
"source": "contact@wpscan.com",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
},
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
}
]
}
CVE-2021-4448 (GCVE-0-2021-4448)
Vulnerability from cvelistv5 – Published: 2024-10-16 06:43 – Updated: 2024-10-16 18:06
VLAI?
Title
Kaswara Modern VC Addons <= 3.0.1 - Missing Authorization
Summary
The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.
Severity ?
7.3 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SayenThemes | Kaswara Modern VC Addons |
Affected:
* , ≤ 3.0.1
(semver)
|
Credits
Ramuel Gall
Chloe Chamberland
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kaswara",
"vendor": "kaswara_project",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T15:34:23.826209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T18:06:05.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kaswara Modern VC Addons",
"vendor": "SayenThemes",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ramuel Gall"
},
{
"lang": "en",
"type": "finder",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T06:43:31.059Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf76527-9a11-4755-992c-02fbc1a79bae?source=cve"
},
{
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
}
],
"timeline": [
{
"lang": "en",
"time": "2021-03-19T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Kaswara Modern VC Addons \u003c= 3.0.1 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-4448",
"datePublished": "2024-10-16T06:43:31.059Z",
"dateReserved": "2024-10-15T18:33:45.075Z",
"dateUpdated": "2024-10-16T18:06:05.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24284 (GCVE-0-2021-24284)
Vulnerability from cvelistv5 – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI?
Title
Kaswara Modern VC Addons <= 3.0.1 - Unauthenticated Arbitrary File Upload
Summary
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
Severity ?
No CVSS data available.
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SayenThemes | Kaswara Modern VC Addons |
Affected:
3.0.1 , ≤ 3.0.1
(custom)
|
Credits
Robin Goodfellow
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:22.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kaswara Modern VC Addons",
"vendor": "SayenThemes",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "3.0.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Robin Goodfellow"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the \u0027uploadFontIcon\u0027 AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T15:06:23",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Kaswara Modern VC Addons \u003c= 3.0.1 - Unauthenticated Arbitrary File Upload",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24284",
"STATE": "PUBLIC",
"TITLE": "Kaswara Modern VC Addons \u003c= 3.0.1 - Unauthenticated Arbitrary File Upload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kaswara Modern VC Addons",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.1",
"version_value": "3.0.1"
}
]
}
}
]
},
"vendor_name": "SayenThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Robin Goodfellow"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the \u0027uploadFontIcon\u0027 AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5"
},
{
"name": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477",
"refsource": "MISC",
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
},
{
"name": "http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24284",
"datePublished": "2021-05-14T11:38:17",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:22.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4448 (GCVE-0-2021-4448)
Vulnerability from nvd – Published: 2024-10-16 06:43 – Updated: 2024-10-16 18:06
VLAI?
Title
Kaswara Modern VC Addons <= 3.0.1 - Missing Authorization
Summary
The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.
Severity ?
7.3 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SayenThemes | Kaswara Modern VC Addons |
Affected:
* , ≤ 3.0.1
(semver)
|
Credits
Ramuel Gall
Chloe Chamberland
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kaswara",
"vendor": "kaswara_project",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T15:34:23.826209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T18:06:05.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kaswara Modern VC Addons",
"vendor": "SayenThemes",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ramuel Gall"
},
{
"lang": "en",
"type": "finder",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T06:43:31.059Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf76527-9a11-4755-992c-02fbc1a79bae?source=cve"
},
{
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
}
],
"timeline": [
{
"lang": "en",
"time": "2021-03-19T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Kaswara Modern VC Addons \u003c= 3.0.1 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-4448",
"datePublished": "2024-10-16T06:43:31.059Z",
"dateReserved": "2024-10-15T18:33:45.075Z",
"dateUpdated": "2024-10-16T18:06:05.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24284 (GCVE-0-2021-24284)
Vulnerability from nvd – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI?
Title
Kaswara Modern VC Addons <= 3.0.1 - Unauthenticated Arbitrary File Upload
Summary
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
Severity ?
No CVSS data available.
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SayenThemes | Kaswara Modern VC Addons |
Affected:
3.0.1 , ≤ 3.0.1
(custom)
|
Credits
Robin Goodfellow
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:22.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kaswara Modern VC Addons",
"vendor": "SayenThemes",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "3.0.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Robin Goodfellow"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the \u0027uploadFontIcon\u0027 AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T15:06:23",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Kaswara Modern VC Addons \u003c= 3.0.1 - Unauthenticated Arbitrary File Upload",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24284",
"STATE": "PUBLIC",
"TITLE": "Kaswara Modern VC Addons \u003c= 3.0.1 - Unauthenticated Arbitrary File Upload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kaswara Modern VC Addons",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.1",
"version_value": "3.0.1"
}
]
}
}
]
},
"vendor_name": "SayenThemes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Robin Goodfellow"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the \u0027uploadFontIcon\u0027 AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5"
},
{
"name": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477",
"refsource": "MISC",
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
},
{
"name": "http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24284",
"datePublished": "2021-05-14T11:38:17",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:22.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}