Arbitrary File Upload Vulnerability in Envato Elements and Template Kit – Import for WordPress
CVE-2021-4330

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Template Kit – Import; Envato Elements – Photos & Elementor Templates
Vendor: CVE Published:; 7 March 2023

What is CVE-2021-4330?

The Envato Elements & Download and Template Kit – Import plugins for WordPress exhibit a security flaw that allows for arbitrary file uploads. This vulnerability arises from inadequate validation of file types during the extraction of uploaded Zip files within specific functions. As a result, attackers with contributor-level permissions can exploit this weakness to upload unauthorized files, potentially leading to remote code execution. This issue affects versions of both plugins up to and including 2.0.10 for Envato Elements & Download and 1.0.13 for Template Kit – Import.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Envato Elements – Photos & Elementor Templates * <= 2.0.10

Template Kit – Import * <= 1.0.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2023
Vulnerability Reserved
Mar 7, 2023

Credit

Chloe Chamberland

JSON

Wordpress

What is CVE-2021-4330?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.