SB2021081401 - Multiple vulnerabilities in WP User Avatar plugin for WordPress

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021081401

SB2021081401 - Multiple vulnerabilities in WP User Avatar plugin for WordPress

Published: August 14, 2021 Updated: August 14, 2023

Security Bulletin ID SB2021081401
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-34621)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions during user registration, which leads to security restrictions bypass and privilege escalation.


2) Arbitrary file upload (CVE-ID: CVE-2021-34624)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload in the file uploader component. A remote attacker can upload a malicious file and execute it on the server.


3) Arbitrary file upload (CVE-ID: CVE-2021-34623)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload in the image uploader component. A remote attacker can upload a malicious file and execute it on the server.


4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-34622)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions during user profile updates, which leads to security restrictions bypass and privilege escalation.


Remediation

Install update from vendor's website.

References