SB2020031913 - Improper access control in Gutenberg & Elementor Templates Importer For Responsive plugin for WordPress
Published: March 19, 2020
Security Bulletin ID
SB2020031913
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in various AJAX actions (23). A remote authenticated attacker can bypass implemented security restrictions and reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files and activate plugins, among many other actions.
Note: Majority of the vulnerable AJAX action were found in the "/class-responsive-ready-sites-importer.php" file.
Remediation
Install update from vendor's website.