CVE-2022-29451 WordPress Rara One Click Demo Import plugin <= 1.2.9 - Cross-Site Request Forgery (CSRF) leads to Arbitrary File Upload vulnerability

2022-04-2916:58:13

CWE-434

CWE-352

Patchstack

www.cve.org

wordpress

rara one click demo import plugin

csrf

file upload

vulnerability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

39.6%

JSON

Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files into /wp-content/uploads/ directory.

CNA Affected

[
  {
    "product": "Rara One Click Demo Import (WordPress plugin)",
    "vendor": "Raratheme",
    "versions": [
      {
        "lessThanOrEqual": "1.2.9",
        "status": "affected",
        "version": "<= 1.2.9",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/rara-one-click-demo-import/wordpress-rara-one-click-demo-import-plugin-1-2-9-cross-site-request-forgery-csrf-leads-to-arbitrary-file-upload-vulnerability

wordpress.org/plugins/rara-one-click-demo-import/#developers