CVE-2021-24284

CVE-2021-24284: Kaswara Modern VC Addons <= 3.0.1 - Unauthenticated Arbitrary File Upload

Vendor Sayenthemes
Product Kaswara Modern VC Addons
Weakness CWE-434 · Unrestricted file upload
Published May 14, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.

Key dates

02Disclosure timeline

May 14, 2021 CVE published
August 3, 2024 Record updated