CVE-2021-4330

Name of the Vulnerable Software and Affected Versions Template Kit – Import versions up to and including 1.0.13 Envato Elements & Download versions up to and including 2.0.10

Description The Envato Elements & Download and Template Kit – Import plugins for WordPress are vulnerable to arbitrary file uploads due to insufficient validation of file type upon extracting uploaded Zip files in the installFreeTemplateKit and uploadTemplateKitZipFile functions. This makes it possible for attackers with contributor-level permissions and above to upload arbitrary files and potentially gain remote code execution.

Recommendations For Template Kit – Import versions up to and including 1.0.13, update to a version later than 1.0.13 to resolve the issue. For Envato Elements & Download versions up to and including 2.0.10, update to a version later than 2.0.10 to resolve the issue. As a temporary workaround, consider disabling the installFreeTemplateKit and uploadTemplateKitZipFile functions until a patch is available.