CVE-2021-39317

Name of the Vulnerable Software and Affected Versions: AccessPress Demo Importer versions 1.0.6 and earlier accesspress-basic versions 3.2.1 and earlier accesspress-lite versions 2.92 and earlier accesspress-mag versions 2.6.5 and earlier accesspress-parallax version 4.5 accesspress-root version 2.5 accesspress-store versions 2.4.9 and earlier agency-lite versions 1.1.6 and earlier arrival versions 1.4.2 and earlier bingle versions 1.0.4 and earlier bloger versions 1.2.6 and earlier brovy versions 1.3 and earlier construction-lite versions 1.2.5 and earlier doko versions 1.0.27 and earlier edict-lite versions 1.1.4 and earlier eightlaw-lite versions 2.1.5 and earlier eightmedi-lite versions 2.1.8 and earlier eight-sec versions 1.1.4 and earlier eightstore-lite versions 1.2.5 and earlier enlighten versions 1.3.5 and earlier fotography versions 2.4.0 and earlier opstore versions 1.4.3 and earlier parallaxsome versions 1.3.6 and earlier punte versions 1.1.2 and earlier revolve versions 1.3.1 and earlier ripple versions 1.2.0 and earlier sakala versions 1.0.4 and earlier scrollme versions 2.1.0 and earlier storevilla versions 1.4.1 and earlier swing-lite versions 1.1.9 and earlier the100 versions 1.1.2 and earlier the-launcher versions 1.3.2 and earlier the-monday versions 1.4.1 and earlier ultra-seven versions 1.2.8 and earlier uncode-lite versions 1.3.3 and earlier vmag versions 1.2.7 and earlier vmagazine-lite versions 1.3.5 and earlier vmagazine-news versions 1.0.5 and earlier wpparallax versions 2.0.6 and earlier wp-store versions 1.1.9 and earlier zigcy-baby versions 1.0.6 and earlier zigcy-cosmetics versions 1.0.5 and earlier zigcy-lite versions 2.0.9 and earlier

Description: The vulnerability allows for malicious file uploads via the plugin offline installer AJAX action due to a missing capability check in the plugin offline installer callback function found in the /demo-functions.php or /welcome.php file of the affected products.

Recommendations: As a temporary workaround, consider disabling the plugin offline installer callback function until a patch is available. Restrict access to the /demo-functions.php and /welcome.php files to minimize the risk of exploitation. Avoid using the plugin offline installer AJAX action in the affected API endpoint until the issue is resolved. Update AccessPress Demo Importer to a version later than 1.0.6. Update accesspress-basic to a version later than 3.2.1. Update accesspress-lite to a version later than 2.92. Update accesspress-mag to a version later than 2.6.5. Update accesspress-parallax to a version later than 4.5. Update accesspress-root to a version later than 2.5. Update accesspress-store to a version later than 2.4.9. Update agency-lite to a version later than 1.1.6. Update arrival to a version later than 1.4.2. Update bingle to a version later than 1.0.4. Update bloger to a version later than 1.2.6. Update brovy to a version later than 1.3. Update construction-lite to a version later than 1.2.5. Update doko to a version later than 1.0.27. Update edict-lite to a version later than 1.1.4. Update eightlaw-lite to a version later than 2.1.5. Update eightmedi-lite to a version later than 2.1.8. Update eight-sec to a version later than 1.1.4. Update eightstore-lite to a version later than 1.2.5. Update enlighten to a version later than 1.3.5. Update fotography to a version later than 2.4.0. Update opstore to a version later than 1.4.3. Update parallaxsome to a version later than 1.3.6. Update punte to a version later than 1.1.2. Update revolve to a version later than 1.3.1. Update ripple to a version later than 1.2.0. Update sakala to a version later than 1.0.4. Update scrollme to a version later than 2.1.0. Update storevilla to a version later than 1.4.1. Update swing-lite to a version later than 1.1.9. Update the100 to a version later than 1.1.2. Update the-launcher to a version later than 1.3.2. Update the-monday to a version later than 1.4.1. Update ultra-seven to a version later than 1.2.8. Update uncode-lite to a version later than 1.3.3. Update vmag to a version later than 1.2.7. Update vmagazine-lite to a version later than 1.3.5. Update vmagazine-news to a version later than 1.0.5. Update wpparallax to a version later than 2.0.6. Update wp-store to a version later than 1.1.9. Update zigcy-baby to a version later than 1.0.6. Update zigcy-cosmetics to a version later than 1.0.5. Update zigcy-lite to a version later than 2.0.9.