CVE-2021-39317 - Accesspressthemes Access Demo Importer
Critical 8.8
Versions up to, and including, 1.0.6, of the Access Demo Importer WordPress plugin are vulnerable to arbitrary file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the ~/inc/demo-functions.php.
Affected software
Accesspressthemes Access Demo Importer
Reference links
- https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-in-access-demo-importer-plugin/
- https://plugins.trac.wordpress.org/changeset/2602132/access-demo-importer/trunk/inc/demo-functions.php
- https://plugins.trac.wordpress.org/changeset/2592642/access-demo-importer/trunk/inc/demo-functions.php