CVE-2021-39352 HIGH

CVE-2021-39352: Catch Themes Demo Import <= 1.7 Admin+ Arbitrary File Upload

Vendor Catch Themes Demo Import
Product Catch Themes Demo Import
Weakness CWE-434 · Unrestricted file upload
Published October 21, 2021
Last update February 14, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.

Key dates

02Disclosure timeline

October 21, 2021 CVE published
February 14, 2025 Record updated