Arbitrary File Upload Vulnerability in Envato Elements and Template Kit – Import for WordPress
CVE-2021-4330

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Template Kit – Import; Envato Elements – Photos & Elementor Templates
Vendor: CVE Published:; 7 March 2023

Summary

The Envato Elements & Download and Template Kit – Import plugins for WordPress exhibit a security flaw that allows for arbitrary file uploads. This vulnerability arises from inadequate validation of file types during the extraction of uploaded Zip files within specific functions. As a result, attackers with contributor-level permissions can exploit this weakness to upload unauthorized files, potentially leading to remote code execution. This issue affects versions of both plugins up to and including 2.0.10 for Envato Elements & Download and 1.0.13 for Template Kit – Import.

Affected Version(s)

Envato Elements – Photos & Elementor Templates * <= 2.0.10

Template Kit – Import * <= 1.0.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2023
Vulnerability Reserved
Mar 7, 2023

Credit

Chloe Chamberland