HIGH✓ PATCH🇬🇧 English

CVE-2021-39317

CVSS 8.8v3.1pub. 2021-10-11upd. 2024-11-21

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer <=1.0.6 WordPress Themes: accesspress-basic <= 3.2.1 accesspress-lite <= 2.92 accesspress-mag <= 2.6.5 accesspress-parallax <= 4.5 accesspress-root <= 2.5 accesspress-store <= 2.4.9 agency-lite <= 1.1.6 arrival <= 1.4.2 bingle <= 1.0.4 bloger <= 1.2.6 brovy <= 1.3 construction-lite <= 1.2.5 doko <= 1.0.27 edict-lite <= 1.1.4 eightlaw-lite <= 2.1.5 eightmedi-lite <= 2.1.8 eight-sec <= 1.1.4 eightstore-lite <= 1.2.5 enlighten <= 1.3.5 fotography <= 2.4.0 opstore <= 1.4.3 parallaxsome <= 1.3.6 punte <= 1.1.2 revolve <= 1.3.1 ripple <= 1.2.0 sakala <= 1.0.4 scrollme <= 2.1.0 storevilla <= 1.4.1 swing-lite <= 1.1.9 the100 <= 1.1.2 the-launcher <= 1.3.2 the-monday <= 1.4.1 ultra-seven <= 1.2.8 uncode-lite <= 1.3.3 vmag <= 1.2.7 vmagazine-lite <= 1.3.5 vmagazine-news <= 1.0.5 wpparallax <= 2.0.6 wp-store <= 1.1.9 zigcy-baby <= 1.0.6 zigcy-cosmetics <= 1.0.5 zigcy-lite <= 2.0.9

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Accesspressthemes Access Demo Importer

    APP
    Accesspressthemes
    < 1.0.7
  • Accesspressthemes Accesspress Basic

    APP
    Accesspressthemes
    ≤ 3.2.1
  • Accesspressthemes Accesspress Lite

    APP
    Accesspressthemes
    ≤ 2.92
  • Accesspressthemes Accesspress Mag

    APP
    Accesspressthemes
    ≤ 2.6.5
  • Accesspressthemes Accesspress Parallax

    APP
    Accesspressthemes
    ≤ 4.5
  • Accesspressthemes Accesspress Root

    APP
    Accesspressthemes
    ≤ 2.5
  • Accesspressthemes Accesspress Store

    APP
    Accesspressthemes
    ≤ 2.4.9
  • Accesspressthemes Agency Lite

    APP
    Accesspressthemes
    ≤ 1.1.6
  • Accesspressthemes Arrival

    APP
    Accesspressthemes
    ≤ 1.4.2
  • Accesspressthemes Bingle

    APP
    Accesspressthemes
    ≤ 1.0.4
  • Accesspressthemes Bloger

    APP
    Accesspressthemes
    ≤ 1.2.6
  • Accesspressthemes Brovy

    APP
    Accesspressthemes
    ≤ 1.3
  • Accesspressthemes Construction Lite

    APP
    Accesspressthemes
    ≤ 1.2.5
  • Accesspressthemes Doko

    APP
    Accesspressthemes
    ≤ 1.0.27
  • Accesspressthemes Edict Lite

    APP
    Accesspressthemes
    ≤ 1.1.4
  • Accesspressthemes Eightlaw Lite

    APP
    Accesspressthemes
    ≤ 2.1.5
  • Accesspressthemes Eightmedi Lite

    APP
    Accesspressthemes
    ≤ 2.1.8
  • Accesspressthemes Eight Sec

    APP
    Accesspressthemes
    ≤ 1.1.4
  • Accesspressthemes Eightstore Lite

    APP
    Accesspressthemes
    ≤ 1.2.5
  • Accesspressthemes Enlighten

    APP
    Accesspressthemes
    ≤ 1.3.5
  • Accesspressthemes Fotography

    APP
    Accesspressthemes
    ≤ 2.4.0
  • Accesspressthemes Opstore

    APP
    Accesspressthemes
    ≤ 1.4.3
  • Accesspressthemes Parallaxsome

    APP
    Accesspressthemes
    ≤ 1.3.6
  • Accesspressthemes Punte

    APP
    Accesspressthemes
    ≤ 1.1.2
  • Accesspressthemes Revolve

    APP
    Accesspressthemes
    ≤ 1.3.1
  • Accesspressthemes Ripple

    APP
    Accesspressthemes
    ≤ 1.2.0
  • Accesspressthemes Sakala

    APP
    Accesspressthemes
    ≤ 1.0.4
  • Accesspressthemes Scrollme

    APP
    Accesspressthemes
    ≤ 2.1.0
  • Accesspressthemes Storevilla

    APP
    Accesspressthemes
    ≤ 1.4.1
  • Accesspressthemes Swing Lite

    APP
    Accesspressthemes
    ≤ 1.1.9
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
CWE
Referencje

Powiązane podatności

CVE-2021-24867CRITICAL9.8ten sam produkt

Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their w...

CVE-2022-23976HIGH8.1ten sam produkt

Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to reset al...

CVE-2022-23975MEDIUM6.5ten sam produkt

Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to activate...

CVE-2017-16949CRITICAL9.8ten sam vendor

An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. I...

CVE-2017-15919CRITICAL9.8ten sam vendor

The ultimate-form-builder-lite plugin before 1.3.7 for WordPress has SQL Injection, with resultant PHP Object ...