CVE-2021-4448 (GCVE-0-2021-4448)
Vulnerability from cvelistv5 – Published: 2024-10-16 06:43 – Updated: 2024-10-16 18:06
VLAI?
Title
Kaswara Modern VC Addons <= 3.0.1 - Missing Authorization
Summary
The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.
Severity ?
7.3 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SayenThemes | Kaswara Modern VC Addons |
Affected:
* , ≤ 3.0.1
(semver)
|
Credits
Ramuel Gall
Chloe Chamberland
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kaswara",
"vendor": "kaswara_project",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T15:34:23.826209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T18:06:05.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kaswara Modern VC Addons",
"vendor": "SayenThemes",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ramuel Gall"
},
{
"lang": "en",
"type": "finder",
"value": "Chloe Chamberland"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T06:43:31.059Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf76527-9a11-4755-992c-02fbc1a79bae?source=cve"
},
{
"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477"
}
],
"timeline": [
{
"lang": "en",
"time": "2021-03-19T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Kaswara Modern VC Addons \u003c= 3.0.1 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-4448",
"datePublished": "2024-10-16T06:43:31.059Z",
"dateReserved": "2024-10-15T18:33:45.075Z",
"dateUpdated": "2024-10-16T18:06:05.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:wordpress:*:*\", \"versionEndIncluding\": \"3.0.1\", \"matchCriteriaId\": \"8B9EF5A0-624E-4C09-8DB5-8DD87CFF3FFA\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.\"}, {\"lang\": \"es\", \"value\": \"El complemento Kaswara Modern VC Addons para WordPress es vulnerable a la omisi\\u00f3n de autorizaci\\u00f3n en versiones hasta la 3.0.1 incluida debido a una comprobaci\\u00f3n insuficiente de la capacidad en varias acciones AJAX. Esto permite que atacantes no autenticados realicen una amplia variedad de acciones no autorizadas, como importar datos, cargar archivos arbitrarios, eliminar archivos arbitrarios y m\\u00e1s.\"}]",
"id": "CVE-2021-4448",
"lastModified": "2024-10-30T18:18:58.743",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@wordfence.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2024-10-16T07:15:10.980",
"references": "[{\"url\": \"https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477\", \"source\": \"security@wordfence.com\", \"tags\": [\"Not Applicable\"]}, {\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf76527-9a11-4755-992c-02fbc1a79bae?source=cve\", \"source\": \"security@wordfence.com\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"security@wordfence.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-4448\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2024-10-16T07:15:10.980\",\"lastModified\":\"2024-10-30T18:18:58.743\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.\"},{\"lang\":\"es\",\"value\":\"El complemento Kaswara Modern VC Addons para WordPress es vulnerable a la omisi\u00f3n de autorizaci\u00f3n en versiones hasta la 3.0.1 incluida debido a una comprobaci\u00f3n insuficiente de la capacidad en varias acciones AJAX. Esto permite que atacantes no autenticados realicen una amplia variedad de acciones no autorizadas, como importar datos, cargar archivos arbitrarios, eliminar archivos arbitrarios y m\u00e1s.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:wordpress:*:*\",\"versionEndIncluding\":\"3.0.1\",\"matchCriteriaId\":\"8B9EF5A0-624E-4C09-8DB5-8DD87CFF3FFA\"}]}]}],\"references\":[{\"url\":\"https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477\",\"source\":\"security@wordfence.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf76527-9a11-4755-992c-02fbc1a79bae?source=cve\",\"source\":\"security@wordfence.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-4448\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-16T15:34:23.826209Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:*:*:*\"], \"vendor\": \"kaswara_project\", \"product\": \"kaswara\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.0.1\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-16T18:01:35.413Z\"}}], \"cna\": {\"title\": \"Kaswara Modern VC Addons \u003c= 3.0.1 - Missing Authorization\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ramuel Gall\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Chloe Chamberland\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\"}}], \"affected\": [{\"vendor\": \"SayenThemes\", \"product\": \"Kaswara Modern VC Addons\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.0.1\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2021-03-19T00:00:00.000+00:00\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf76527-9a11-4755-992c-02fbc1a79bae?source=cve\"}, {\"url\": \"https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2024-10-16T06:43:31.059Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2021-4448\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-16T18:06:05.354Z\", \"dateReserved\": \"2024-10-15T18:33:45.075Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2024-10-16T06:43:31.059Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…