cbcvebase.
CVE-2024-6828
published 2024-07-23

CVE-2024-6828: The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the…

PriorityP279high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.03%
59.3th percentile
The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
davidandersonredux_framework4.4.12 – 4.4.17

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.