Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2021-24284

Published: 14/05/2021 Updated: 28/09/2022
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Kaswara

Vulnerability Summary

The Kaswara Modern VC Addons WordPress plugin up to and including 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

kaswara project kaswara

Github Repositories

https://github.com/InMyMine7/SharkXploit

SharkXploit Wordpress Auto Exploit is a great tools for search vulnerability in wordpress

SharkXploit SharkXploit Wordpress Auto Exploit v01 Feature : Fast Scanning Multithread Support http/https Safe for use no backdor or etc Requirement : Python 3114 pip 2312 Prof ZoomSounds < 605 - Unauthenticated Arbitrary File Upload CVE-2021-25094 CVE-2021-24284 WP-ENGINE - Unauthenticated Arbitrary File Upload Cherry Plugin 127 - Unauthenticated Arbi

Recent Articles

Thousands of websites run buggy WordPress plugin that allows complete takeover
The Register • Jessica Lyons Hardcastle • 01 Jan 1970

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources All versions are susceptible, there's no patch, so now's a good time to remove this add-on What do you want The Register to do for you?

Miscreants have reportedly scanned almost 1.6 million websites in attempts to exploit an arbitrary file upload vulnerability in a previously disclosed buggy WordPress plugin. Traced as CVE-2021-24284, the vuln targets Kaswara Modern WPBakery Page Builder Addons and, if exploited, it would allow criminals to upload malicious JavaScript files and even completely take over an organization's website. Wordfence disclosed the flaw almost three months ago, and in a new advisory this week warned that cr...

Read more...

References

CWE-434https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.htmlhttps://nvd.nist.govhttps://github.com/InMyMine7/SharkXploithttps://www.theregister.co.uk/2022/07/15/buggy_wordpress_plugin/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook