CVE-2021-4448

The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477	Not Applicable
https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf76527-9a11-4755-992c-02fbc1a79bae?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2024-10-16 07:15

Updated : 2024-10-30 18:18

NVD link : CVE-2021-4448

Mitre link : CVE-2021-4448

CVE.ORG link : CVE-2021-4448

JSON object : View

Products Affected

kaswara_project

kaswara

CWE

CWE-862

Missing Authorization

{"id": "CVE-2021-4448", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-10-16T07:15:10.980", "references": [{"url": "https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477", "tags": ["Not Applicable"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf76527-9a11-4755-992c-02fbc1a79bae?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more."}, {"lang": "es", "value": "El complemento Kaswara Modern VC Addons para WordPress es vulnerable a la omisi\u00f3n de autorizaci\u00f3n en versiones hasta la 3.0.1 incluida debido a una comprobaci\u00f3n insuficiente de la capacidad en varias acciones AJAX. Esto permite que atacantes no autenticados realicen una amplia variedad de acciones no autorizadas, como importar datos, cargar archivos arbitrarios, eliminar archivos arbitrarios y m\u00e1s."}], "lastModified": "2024-10-30T18:18:58.743", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "8B9EF5A0-624E-4C09-8DB5-8DD87CFF3FFA", "versionEndIncluding": "3.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}