Arbitrary File Upload Vulnerability in SKT Page Builder for WordPress
CVE-2024-12848
8.8HIGH
Summary
The SKT Page Builder plugin for WordPress contains a vulnerability due to a missing capability check within the 'addLibraryByArchive' function. This flaw allows authenticated users with at least subscriber-level access to upload arbitrary files. If exploited, this could enable remote code execution vulnerabilities on the target website, posing significant risks to its integrity and security. It is essential for site administrators to assess and update their installations to mitigate these security issues.
Affected Version(s)
SKT Page Builder * <= 4.7
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Matthew Rollings
Youcef Hamdani