CVE-2021-24284
CRITICAL EXPLOITED IN THE WILD NUCLEIKaswara < 3.0.1 - Unauthenticated Arbitrary File Upload via uploadFontIcon AJAX Action
Title source: llmExploitation Summary
CVE-2021-24284 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). A Nuclei detection template is also available.
Description
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
Nuclei Templates (1)
WordPress Kaswara Modern VC Addons <=3.0.1 - Arbitrary File Upload
CRITICALby lamscun,pussycat0x,pdteam
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
Product, Third Party Advisory x_refsource_misc
https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html
Scores
CVSS v3
9.8
EPSS
0.4214
EPSS Percentile
98.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2023-12-24
InTheWild.io
2022-07-13
CWE
CWE-434
Status
published
Products (1)
kaswara_project/kaswara
< 3.0.1
Published
May 14, 2021
Tracked Since
Feb 18, 2026