Improper Control of Generation of Code ('Code Injection') vulnerability in Brainstorm Force Astra Pro.This issue affects Astra Pro: from n/a through 4.3.1.
The vulnerability results from improper code generation control (CWE-94), which classifies it as code injection. An attacker with Contributor privileges can supply a crafted payload to the application, which will be executed as server-side code. Due to the network vector (AV:N), low attack complexity (AC:L) and changed scope (S:C), the consequences of malicious code execution can extend beyond the plugin itself and affect the entire server.
An attacker can gain full control over the server — read, modify or delete data, and potentially take over the entire WordPress service. The compromise affects confidentiality, integrity and availability of the system at the highest level.
The Astra Pro plugin must be immediately updated to a version higher than 4.3.1, in accordance with the manufacturer's information and the Patchstack database. It is also recommended to review user accounts with the Contributor role and above for unauthorized changes.
Brainstorm Force Astra Pro plugin in all versions from the beginning up to and including 4.3.1.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HBrainstormforce Astra
APPBrainstormforce≤ 4.3.1
Related vulnerabilities
The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST paramet...
Missing Authorization vulnerability in Brainstorm Force Astra Bulk Edit.This issue affects Astra Bulk Edit: fr...
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file ...
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Inje...
Improper Privilege Management vulnerability in Brainstorm Force Ultimate Addons for Elementor allows Privilege...