CVE-2024-6828

Name of the Vulnerable Software and Affected Versions Redux Framework plugin for WordPress versions 4.4.12 through 4.4.17

Description The issue arises from missing authorization and capability checks on the Redux Color Scheme Import function, allowing unauthenticated attackers to upload JSON files. This can lead to stored cross-site scripting attacks. In rare cases, when the wp filesystem fails to initialize, it can also result in Remote Code Execution.

Recommendations For versions 4.4.12 through 4.4.17, update to a version that includes the necessary authorization and capability checks for the Redux Color Scheme Import function to prevent unauthenticated JSON file uploads. As a temporary workaround, consider disabling the Redux Color Scheme Import function until a patch is available.