CVE-2021-39317

Published: Oct 11, 2021

Modified: Feb 14, 2025

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer <=1.0.6 WordPress Themes: accesspress-basic <= 3.2.1 accesspress-lite <= 2.92 accesspress-mag <= 2.6.5 accesspress-parallax <= 4.5 accesspress-root <= 2.5 accesspress-store <= 2.4.9 agency-lite <= 1.1.6 arrival <= 1.4.2 bingle <= 1.0.4 bloger <= 1.2.6 brovy <= 1.3 construction-lite <= 1.2.5 doko <= 1.0.27 edict-lite <= 1.1.4 eightlaw-lite <= 2.1.5 eightmedi-lite <= 2.1.8 eight-sec <= 1.1.4 eightstore-lite <= 1.2.5 enlighten <= 1.3.5 fotography <= 2.4.0 opstore <= 1.4.3 parallaxsome <= 1.3.6 punte <= 1.1.2 revolve <= 1.3.1 ripple <= 1.2.0 sakala <= 1.0.4 scrollme <= 2.1.0 storevilla <= 1.4.1 swing-lite <= 1.1.9 the100 <= 1.1.2 the-launcher <= 1.3.2 the-monday <= 1.4.1 ultra-seven <= 1.2.8 uncode-lite <= 1.3.3 vmag <= 1.2.7 vmagazine-lite <= 1.3.5 vmagazine-news <= 1.0.5 wpparallax <= 2.0.6 wp-store <= 1.1.9 zigcy-baby <= 1.0.6 zigcy-cosmetics <= 1.0.5 zigcy-lite <= 2.0.9

Vendor	Product	Versions
AccessPress Themes	Access Demo Importer	affected `1.0.6 - <= 1.0.6`
AccessPress Themes	accesspress-basic	affected `3.2.1 - <= 3.2.1`
AccessPress Themes	accesspress-lite	affected `2.9.2 - <= 2.9.2`
AccessPress Themes	accesspress-mag	affected `2.6.5 - <= 2.6.5`
AccessPress Themes	accesspress-parallax	affected `4.5 - <= 4.5`
AccessPress Themes	accesspress-root	affected `2.5 - <= 2.5`
AccessPress Themes	accesspress-store	affected `2.4.9 - <= 2.4.9`
AccessPress Themes	agency-lite	affected `1.1.6 - <= 1.1.6`
AccessPress Themes	arrival	affected `1.4.2 - <= 1.4.2`
AccessPress Themes	bingle	affected `1.0.4 - <= 1.0.4`
AccessPress Themes	bloger	affected `1.2.6 - <= 1.2.6`
AccessPress Themes	brovy	affected `1.3 - <= 1.3`
AccessPress Themes	construction-lite	affected `1.2.5 - <= 1.2.5`
AccessPress Themes	doko	affected `1.0.27 - <= 1.0.27`
AccessPress Themes	edict-lite	affected `1.1.4 - <= 1.1.4`
AccessPress Themes	enlighten	affected `1.3.5 - <= 1.3.5`
AccessPress Themes	fotography	affected `2.4.0 - <= 2.4.0`
AccessPress Themes	opstore	affected `1.4.3 - <= 1.4.3`
AccessPress Themes	parallaxsome	affected `1.3.6 - <= 1.3.6`
AccessPress Themes	punte	affected `1.1.2 - <= 1.1.2`
AccessPress Themes	revolve	affected `1.3.1 - <= 1.3.1`
AccessPress Themes	ripple	affected `1.2.0 - <= 1.2.0`
AccessPress Themes	sakala	affected `1.0.4 - <= 1.0.4`
AccessPress Themes	scrollme	affected `2.1.0 - <= 2.1.0`
AccessPress Themes	storevilla	affected `1.4.1 - <= 1.4.1`
AccessPress Themes	swing-lite	affected `1.1.9 - <= 1.1.9`
AccessPress Themes	swing-lite	affected `1.1.9 - <= 1.1.9`
AccessPress Themes	the100	affected `1.1.2 - <= 1.1.2`
AccessPress Themes	the-launcher	affected `1.3.2 - <= 1.3.2`
AccessPress Themes	the-monday	affected `1.4.1 - <= 1.4.1`
AccessPress Themes	ultra-seven	affected `1.2.8 - <= 1.2.8`
AccessPress Themes	uncode-lite	affected `1.3.3 - <= 1.3.3`
AccessPress Themes	vmag	affected `1.2.7 - <= 1.2.7`
AccessPress Themes	vmagazine-lite	affected `1.3.5 - <= 1.3.5`
AccessPress Themes	vmagazine-news	affected `1.0.5 - <= 1.0.5`
AccessPress Themes	wpparallax	affected `2.0.6 - <= 2.0.6`
AccessPress Themes	wp-store	affected `1.1.9 - <= 1.1.9`
AccessPress Themes	zigcy-baby	affected `1.0.6 - <= 1.0.6`
AccessPress Themes	zigcy-cosmetics	affected `1.0.5 - <= 1.0.5`
AccessPress Themes	zigcy-lite	affected `2.0.9 - <= 2.0.9`