QwikSec

Security Database

CVE

CWE

Training

CVE-2021-24284

Published: May 14, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.

Vendor	Product	Versions
SayenThemes	Kaswara Modern VC Addons	affected `3.0.1 - <= 3.0.1`

Weaknesses (CWE)

References

https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5

x_refsource_CONFIRM

https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477

x_refsource_MISC

http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.