CVE-2021-39352

CVE-2021-39352 affects the WordPress plugin Catch Themes Demo Import, vulnerable in versions up to 1.7 (pre-1.8). The root cause is insufficient file-type validation in ~/inc/CatchThemesDemoImport.php, enabling an authenticated administrator to upload arbitrary files that can be used for remote c...

CVE-2022-0440

Affected software. Catch Themes Demo Import WordPress plugin (versions before 2.1.1). Root cause. The plugin does not validate one of the files to be imported, enabling an elevated-privilege admin to upload an arbitrary PHP file. Impact. Remote Code Execution (RCE) potentially even on hardened Wo...

CVE-2021-24752

CVE-2021-24752 affects multiple CatchThemes plugins that fail capability and CSRF checks in the ctp_switch AJAX action. This allows any authenticated user (e.g., Subscriber) to alter plugin settings for: Essential Widgets (≤1.9), To Top (≤2.3), Header Enhancement (≤1.5), Generate Child Theme (≤1....