← back
CVE-2021-24284

Kaswara Modern VC Addons <= 3.0.1 - Unauthenticated Arbitrary File Upload

EPSS 42.1%CWE-434
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
Affected products
SayenThemes · Kaswara Modern VC Addons

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.htmlhttps://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5