Arbitrary File Upload Vulnerability in Envato Elements and Template Kit – Import for WordPress
CVE-2021-4330
8.8HIGH
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 7 March 2023
What is CVE-2021-4330?
The Envato Elements & Download and Template Kit – Import plugins for WordPress exhibit a security flaw that allows for arbitrary file uploads. This vulnerability arises from inadequate validation of file types during the extraction of uploaded Zip files within specific functions. As a result, attackers with contributor-level permissions can exploit this weakness to upload unauthorized files, potentially leading to remote code execution. This issue affects versions of both plugins up to and including 2.0.10 for Envato Elements & Download and 1.0.13 for Template Kit – Import.
Affected Version(s)
Envato Elements – Photos & Elementor Templates * <= 2.0.10
Template Kit – Import * <= 1.0.13