GSD-2021-39317
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer <=1.0.6 WordPress Themes: accesspress-basic <= 3.2.1 accesspress-lite <= 2.92 accesspress-mag <= 2.6.5 accesspress-parallax <= 4.5 accesspress-root <= 2.5 accesspress-store <= 2.4.9 agency-lite <= 1.1.6 arrival <= 1.4.2 bingle <= 1.0.4 bloger <= 1.2.6 brovy <= 1.3 construction-lite <= 1.2.5 doko <= 1.0.27 edict-lite <= 1.1.4 eightlaw-lite <= 2.1.5 eightmedi-lite <= 2.1.8 eight-sec <= 1.1.4 eightstore-lite <= 1.2.5 enlighten <= 1.3.5 fotography <= 2.4.0 opstore <= 1.4.3 parallaxsome <= 1.3.6 punte <= 1.1.2 revolve <= 1.3.1 ripple <= 1.2.0 sakala <= 1.0.4 scrollme <= 2.1.0 storevilla <= 1.4.1 swing-lite <= 1.1.9 the100 <= 1.1.2 the-launcher <= 1.3.2 the-monday <= 1.4.1 ultra-seven <= 1.2.8 uncode-lite <= 1.3.3 vmag <= 1.2.7 vmagazine-lite <= 1.3.5 vmagazine-news <= 1.0.5 wpparallax <= 2.0.6 wp-store <= 1.1.9 zigcy-baby <= 1.0.6 zigcy-cosmetics <= 1.0.5 zigcy-lite <= 2.0.9
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-39317",
"description": "A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer \u003c=1.0.6 WordPress Themes: accesspress-basic \u003c= 3.2.1 accesspress-lite \u003c= 2.92 accesspress-mag \u003c= 2.6.5 accesspress-parallax \u003c= 4.5 accesspress-root \u003c= 2.5 accesspress-store \u003c= 2.4.9 agency-lite \u003c= 1.1.6 arrival \u003c= 1.4.2 bingle \u003c= 1.0.4 bloger \u003c= 1.2.6 brovy \u003c= 1.3 construction-lite \u003c= 1.2.5 doko \u003c= 1.0.27 edict-lite \u003c= 1.1.4 eightlaw-lite \u003c= 2.1.5 eightmedi-lite \u003c= 2.1.8 eight-sec \u003c= 1.1.4 eightstore-lite \u003c= 1.2.5 enlighten \u003c= 1.3.5 fotography \u003c= 2.4.0 opstore \u003c= 1.4.3 parallaxsome \u003c= 1.3.6 punte \u003c= 1.1.2 revolve \u003c= 1.3.1 ripple \u003c= 1.2.0 sakala \u003c= 1.0.4 scrollme \u003c= 2.1.0 storevilla \u003c= 1.4.1 swing-lite \u003c= 1.1.9 the100 \u003c= 1.1.2 the-launcher \u003c= 1.3.2 the-monday \u003c= 1.4.1 ultra-seven \u003c= 1.2.8 uncode-lite \u003c= 1.3.3 vmag \u003c= 1.2.7 vmagazine-lite \u003c= 1.3.5 vmagazine-news \u003c= 1.0.5 wpparallax \u003c= 2.0.6 wp-store \u003c= 1.1.9 zigcy-baby \u003c= 1.0.6 zigcy-cosmetics \u003c= 1.0.5 zigcy-lite \u003c= 2.0.9",
"id": "GSD-2021-39317"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-39317"
],
"details": "A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer \u003c=1.0.6 WordPress Themes: accesspress-basic \u003c= 3.2.1 accesspress-lite \u003c= 2.92 accesspress-mag \u003c= 2.6.5 accesspress-parallax \u003c= 4.5 accesspress-root \u003c= 2.5 accesspress-store \u003c= 2.4.9 agency-lite \u003c= 1.1.6 arrival \u003c= 1.4.2 bingle \u003c= 1.0.4 bloger \u003c= 1.2.6 brovy \u003c= 1.3 construction-lite \u003c= 1.2.5 doko \u003c= 1.0.27 edict-lite \u003c= 1.1.4 eightlaw-lite \u003c= 2.1.5 eightmedi-lite \u003c= 2.1.8 eight-sec \u003c= 1.1.4 eightstore-lite \u003c= 1.2.5 enlighten \u003c= 1.3.5 fotography \u003c= 2.4.0 opstore \u003c= 1.4.3 parallaxsome \u003c= 1.3.6 punte \u003c= 1.1.2 revolve \u003c= 1.3.1 ripple \u003c= 1.2.0 sakala \u003c= 1.0.4 scrollme \u003c= 2.1.0 storevilla \u003c= 1.4.1 swing-lite \u003c= 1.1.9 the100 \u003c= 1.1.2 the-launcher \u003c= 1.3.2 the-monday \u003c= 1.4.1 ultra-seven \u003c= 1.2.8 uncode-lite \u003c= 1.3.3 vmag \u003c= 1.2.7 vmagazine-lite \u003c= 1.3.5 vmagazine-news \u003c= 1.0.5 wpparallax \u003c= 2.0.6 wp-store \u003c= 1.1.9 zigcy-baby \u003c= 1.0.6 zigcy-cosmetics \u003c= 1.0.5 zigcy-lite \u003c= 2.0.9",
"id": "GSD-2021-39317",
"modified": "2023-12-13T01:23:16.089195Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"AKA": "Wordfence",
"ASSIGNER": "security@wordfence.com",
"DATE_PUBLIC": "2021-10-06T19:17:00.000Z",
"ID": "CVE-2021-39317",
"STATE": "PUBLIC",
"TITLE": "AccessPress Themes - Authenticated Malicious File Upload"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Access Demo Importer",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.0.6",
"version_value": "1.0.6"
}
]
}
},
{
"product_name": "accesspress-basic",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.2.1",
"version_value": "3.2.1"
}
]
}
},
{
"product_name": "accesspress-lite ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.9.2",
"version_value": "2.9.2"
}
]
}
},
{
"product_name": "accesspress-mag",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.6.5",
"version_value": "2.6.5"
}
]
}
},
{
"product_name": "accesspress-parallax",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.5",
"version_value": "4.5"
}
]
}
},
{
"product_name": "accesspress-root ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.5",
"version_value": "2.5"
}
]
}
},
{
"product_name": "accesspress-store",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.4.9",
"version_value": "2.4.9"
}
]
}
},
{
"product_name": "agency-lite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.1.6",
"version_value": "1.1.6"
}
]
}
},
{
"product_name": "arrival",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.4.2",
"version_value": "1.4.2"
}
]
}
},
{
"product_name": "bingle",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.0.4",
"version_value": "1.0.4"
}
]
}
},
{
"product_name": "bloger",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.2.6",
"version_value": "1.2.6"
}
]
}
},
{
"product_name": "brovy ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.3",
"version_value": "1.3"
}
]
}
},
{
"product_name": "construction-lite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.2.5",
"version_value": "1.2.5"
}
]
}
},
{
"product_name": "doko",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.0.27",
"version_value": "1.0.27"
}
]
}
},
{
"product_name": "edict-lite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.1.4",
"version_value": "1.1.4"
}
]
}
},
{
"product_name": "enlighten",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.3.5",
"version_value": "1.3.5"
}
]
}
},
{
"product_name": "fotography",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.4.0",
"version_value": "2.4.0"
}
]
}
},
{
"product_name": "opstore",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.4.3",
"version_value": "1.4.3"
}
]
}
},
{
"product_name": "parallaxsome",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.3.6",
"version_value": "1.3.6"
}
]
}
},
{
"product_name": "punte",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.1.2",
"version_value": "1.1.2"
}
]
}
},
{
"product_name": "revolve",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.3.1",
"version_value": "1.3.1"
}
]
}
},
{
"product_name": "ripple ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.2.0",
"version_value": "1.2.0"
}
]
}
},
{
"product_name": "sakala",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.0.4",
"version_value": "1.0.4"
}
]
}
},
{
"product_name": "scrollme ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.1.0",
"version_value": "2.1.0"
}
]
}
},
{
"product_name": "storevilla",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.4.1",
"version_value": "1.4.1"
}
]
}
},
{
"product_name": "swing-lite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.1.9",
"version_value": "1.1.9"
}
]
}
},
{
"product_name": "swing-lite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.1.9",
"version_value": "1.1.9"
}
]
}
},
{
"product_name": "the100",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.1.2",
"version_value": "1.1.2"
}
]
}
},
{
"product_name": "the-launcher",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.3.2",
"version_value": "1.3.2"
}
]
}
},
{
"product_name": "the-monday",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.4.1",
"version_value": "1.4.1"
}
]
}
},
{
"product_name": "ultra-seven",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.2.8",
"version_value": "1.2.8"
}
]
}
},
{
"product_name": "uncode-lite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.3.3",
"version_value": "1.3.3"
}
]
}
},
{
"product_name": "vmag",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.2.7",
"version_value": "1.2.7"
}
]
}
},
{
"product_name": "vmagazine-lite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.3.5",
"version_value": "1.3.5"
}
]
}
},
{
"product_name": "vmagazine-news",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.0.5",
"version_value": "1.0.5"
}
]
}
},
{
"product_name": "wpparallax",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.0.6",
"version_value": "2.0.6"
}
]
}
},
{
"product_name": "wp-store ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.1.9",
"version_value": "1.1.9"
}
]
}
},
{
"product_name": "zigcy-baby",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.0.6",
"version_value": "1.0.6"
}
]
}
},
{
"product_name": "zigcy-cosmetics",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.0.5",
"version_value": "1.0.5"
}
]
}
},
{
"product_name": "zigcy-lite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.0.9",
"version_value": "2.0.9"
}
]
}
}
]
},
"vendor_name": "AccessPress Themes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland, Wordfence"
},
{
"lang": "eng",
"value": "Lenon Leite "
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer \u003c=1.0.6 WordPress Themes: accesspress-basic \u003c= 3.2.1 accesspress-lite \u003c= 2.92 accesspress-mag \u003c= 2.6.5 accesspress-parallax \u003c= 4.5 accesspress-root \u003c= 2.5 accesspress-store \u003c= 2.4.9 agency-lite \u003c= 1.1.6 arrival \u003c= 1.4.2 bingle \u003c= 1.0.4 bloger \u003c= 1.2.6 brovy \u003c= 1.3 construction-lite \u003c= 1.2.5 doko \u003c= 1.0.27 edict-lite \u003c= 1.1.4 eightlaw-lite \u003c= 2.1.5 eightmedi-lite \u003c= 2.1.8 eight-sec \u003c= 1.1.4 eightstore-lite \u003c= 1.2.5 enlighten \u003c= 1.3.5 fotography \u003c= 2.4.0 opstore \u003c= 1.4.3 parallaxsome \u003c= 1.3.6 punte \u003c= 1.1.2 revolve \u003c= 1.3.1 ripple \u003c= 1.2.0 sakala \u003c= 1.0.4 scrollme \u003c= 2.1.0 storevilla \u003c= 1.4.1 swing-lite \u003c= 1.1.9 the100 \u003c= 1.1.2 the-launcher \u003c= 1.3.2 the-monday \u003c= 1.4.1 ultra-seven \u003c= 1.2.8 uncode-lite \u003c= 1.3.3 vmag \u003c= 1.2.7 vmagazine-lite \u003c= 1.3.5 vmagazine-news \u003c= 1.0.5 wpparallax \u003c= 2.0.6 wp-store \u003c= 1.1.9 zigcy-baby \u003c= 1.0.6 zigcy-cosmetics \u003c= 1.0.5 zigcy-lite \u003c= 2.0.9"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-in-access-demo-importer-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-in-access-demo-importer-plugin/"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2592642/access-demo-importer/trunk/inc/demo-functions.php",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/changeset/2592642/access-demo-importer/trunk/inc/demo-functions.php"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2602132/access-demo-importer/trunk/inc/demo-functions.php",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/changeset/2602132/access-demo-importer/trunk/inc/demo-functions.php"
},
{
"name": "https://patchstack.com/articles/authenticated-vulnerability-in-unpatched-wordpress-themes/",
"refsource": "MISC",
"url": "https://patchstack.com/articles/authenticated-vulnerability-in-unpatched-wordpress-themes/"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Update to the latest available version of software for each, or uninstall from WordPress site if no updated software available. "
}
],
"source": {
"discovery": "INTERNAL"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:access_demo_importer:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:eightstore-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.2.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:enlighten:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:fotography:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:opstore:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.4.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:parallaxsome:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:punte:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.1.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:revolve:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:ripple:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:sakala:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:scrollme:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "2.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:storevilla:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.4.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:swing-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.1.9",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:the100:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.1.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:accesspress-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "2.92",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:the-launcher:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:the-monday:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.4.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:ultra-seven:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.2.8",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:uncode-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:vmag:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.2.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:vmagazine-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:vmagazine-news:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:wp-store:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.1.9",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:wpparallax:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "2.0.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:zigcy-baby:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:zigcy-cosmetics:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:zigcy-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "2.0.9",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:accesspress-mag:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "2.6.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:accesspress-parallax:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "4.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:accesspress-root:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "2.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:accesspress-store:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.9",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:agency-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.1.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:arrival:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.4.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:bingle:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:bloger:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.2.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:brovy:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:construction-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.2.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:doko:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.27",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:edict-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.1.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:eight-sec:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "1.1.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:eightlaw-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "2.1.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:eightmedi-lite:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "2.1.8",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:accesspressthemes:accesspress_basic:*:*:*:*:*:wordpress:*:*",
"cpe_name": [],
"versionEndIncluding": "3.2.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@wordfence.com",
"ID": "CVE-2021-39317"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer \u003c=1.0.6 WordPress Themes: accesspress-basic \u003c= 3.2.1 accesspress-lite \u003c= 2.92 accesspress-mag \u003c= 2.6.5 accesspress-parallax \u003c= 4.5 accesspress-root \u003c= 2.5 accesspress-store \u003c= 2.4.9 agency-lite \u003c= 1.1.6 arrival \u003c= 1.4.2 bingle \u003c= 1.0.4 bloger \u003c= 1.2.6 brovy \u003c= 1.3 construction-lite \u003c= 1.2.5 doko \u003c= 1.0.27 edict-lite \u003c= 1.1.4 eightlaw-lite \u003c= 2.1.5 eightmedi-lite \u003c= 2.1.8 eight-sec \u003c= 1.1.4 eightstore-lite \u003c= 1.2.5 enlighten \u003c= 1.3.5 fotography \u003c= 2.4.0 opstore \u003c= 1.4.3 parallaxsome \u003c= 1.3.6 punte \u003c= 1.1.2 revolve \u003c= 1.3.1 ripple \u003c= 1.2.0 sakala \u003c= 1.0.4 scrollme \u003c= 2.1.0 storevilla \u003c= 1.4.1 swing-lite \u003c= 1.1.9 the100 \u003c= 1.1.2 the-launcher \u003c= 1.3.2 the-monday \u003c= 1.4.1 ultra-seven \u003c= 1.2.8 uncode-lite \u003c= 1.3.3 vmag \u003c= 1.2.7 vmagazine-lite \u003c= 1.3.5 vmagazine-news \u003c= 1.0.5 wpparallax \u003c= 2.0.6 wp-store \u003c= 1.1.9 zigcy-baby \u003c= 1.0.6 zigcy-cosmetics \u003c= 1.0.5 zigcy-lite \u003c= 2.0.9"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-in-access-demo-importer-plugin/",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-in-access-demo-importer-plugin/"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2602132/access-demo-importer/trunk/inc/demo-functions.php",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2602132/access-demo-importer/trunk/inc/demo-functions.php"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2592642/access-demo-importer/trunk/inc/demo-functions.php",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/2592642/access-demo-importer/trunk/inc/demo-functions.php"
},
{
"name": "https://patchstack.com/articles/authenticated-vulnerability-in-unpatched-wordpress-themes/",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/articles/authenticated-vulnerability-in-unpatched-wordpress-themes/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-12-09T16:43Z",
"publishedDate": "2021-10-11T16:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…