CVE-2024-6828 - OpenCVE

The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://core.trac.wordpress.org/browser/tags/6.5.4/src/wp-includes/class-wp-theme-json.php#L1690
https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-filesystem.php#L614
https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-helpers.php#L938
https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/extensions/color_scheme/color_scheme/class-redux-color-scheme-import.php#L75
https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/fields/typography/redux-typography.js#L646
https://plugins.trac.wordpress.org/browser/redux-framework/trunk/redux-core/inc/classes/class-redux-filesystem.php#L166
https://www.wordfence.com/threat-intel/vulnerabilities/id/18a37063-31aa-4b1f-b1a5-1ea921a20686?source=cve

History

No history.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-07-23T02:01:39.248Z

Updated: 2024-08-01T21:45:38.314Z

Reserved: 2024-07-16T23:35:55.802Z

Link: CVE-2024-6828

Vulnrichment

Updated: 2024-08-01T21:45:38.314Z

NVD

Status : Awaiting Analysis

Published: 2024-07-23T02:15:02.370

Modified: 2024-07-24T12:55:13.223

Link: CVE-2024-6828

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6828", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-07-16T23:35:55.802Z", "datePublished": "2024-07-23T02:01:39.248Z", "dateUpdated": "2024-08-01T21:45:38.314Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-07-23T02:01:39.248Z"}, "affected": [{"vendor": "davidanderson", "product": "Redux Framework", "versions": [{"version": "4.4.12", "status": "affected", "lessThanOrEqual": "4.4.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution."}], "title": "Redux Framework 4.4.12 - 4.4.17 - Unauthenticated JSON File Upload to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18a37063-31aa-4b1f-b1a5-1ea921a20686?source=cve"}, {"url": "https://core.trac.wordpress.org/browser/tags/6.5.4/src/wp-includes/class-wp-theme-json.php#L1690"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/extensions/color_scheme/color_scheme/class-redux-color-scheme-import.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-helpers.php#L938"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/fields/typography/redux-typography.js#L646"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/trunk/redux-core/inc/classes/class-redux-filesystem.php#L166"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-filesystem.php#L614"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Villu Orav"}], "timeline": [{"time": "2024-07-11T00:00:00.000+00:00", "lang": "en", "value": "Discovered"}, {"time": "2024-07-22T12:05:44.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"affected": [{"vendor": "redux", "product": "gutenberg_template_library_\\&_redux_framework", "cpes": ["cpe:2.3:a:redux:gutenberg_template_library_\\&_redux_framework:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.4.12", "status": "affected", "lessThanOrEqual": "4.4.17", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T13:09:13.887309Z", "id": "CVE-2024-6828", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-25T15:52:36.382Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.314Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18a37063-31aa-4b1f-b1a5-1ea921a20686?source=cve", "tags": ["x_transferred"]}, {"url": "https://core.trac.wordpress.org/browser/tags/6.5.4/src/wp-includes/class-wp-theme-json.php#L1690", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/extensions/color_scheme/color_scheme/class-redux-color-scheme-import.php#L75", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-helpers.php#L938", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/fields/typography/redux-typography.js#L646", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/trunk/redux-core/inc/classes/class-redux-filesystem.php#L166", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-filesystem.php#L614", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18a37063-31aa-4b1f-b1a5-1ea921a20686?source=cve", "tags": ["x_transferred"]}, {"url": "https://core.trac.wordpress.org/browser/tags/6.5.4/src/wp-includes/class-wp-theme-json.php#L1690", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/extensions/color_scheme/color_scheme/class-redux-color-scheme-import.php#L75", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-helpers.php#L938", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/fields/typography/redux-typography.js#L646", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/trunk/redux-core/inc/classes/class-redux-filesystem.php#L166", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-filesystem.php#L614", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.314Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6828", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-23T13:09:13.887309Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:redux:gutenberg_template_library_\\&_redux_framework:*:*:*:*:*:*:*:*"], "vendor": "redux", "product": "gutenberg_template_library_\\&_redux_framework", "versions": [{"status": "affected", "version": "4.4.12", "versionType": "semver", "lessThanOrEqual": "4.4.17"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T13:33:09.545Z"}}], "cna": {"title": "Redux Framework 4.4.12 - 4.4.17 - Unauthenticated JSON File Upload to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Villu Orav"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "davidanderson", "product": "Redux Framework", "versions": [{"status": "affected", "version": "4.4.12", "versionType": "semver", "lessThanOrEqual": "4.4.17"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-07-11T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2024-07-22T12:05:44.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18a37063-31aa-4b1f-b1a5-1ea921a20686?source=cve"}, {"url": "https://core.trac.wordpress.org/browser/tags/6.5.4/src/wp-includes/class-wp-theme-json.php#L1690"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/extensions/color_scheme/color_scheme/class-redux-color-scheme-import.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-helpers.php#L938"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/fields/typography/redux-typography.js#L646"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/trunk/redux-core/inc/classes/class-redux-filesystem.php#L166"}, {"url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-filesystem.php#L614"}], "descriptions": [{"lang": "en", "value": "The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-07-23T02:01:39.248Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6828", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:45:38.314Z", "dateReserved": "2024-07-16T23:35:55.802Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-07-23T02:01:39.248Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution."}, {"lang": "es", "value": " El complemento Redux Framework para WordPress es vulnerable a cargas de archivos JSON no autenticados debido a la falta de autorizaci\u00f3n y comprobaciones de capacidad en la funci\u00f3n Redux_Color_Scheme_Import en las versiones 4.4.12 a 4.4.17. Esto hace posible que atacantes no autenticados carguen archivos JSON, que pueden usarse para realizar ataques de Cross Site Scripting almacenado y, en algunos casos raros, cuando wp_filesystem no se inicializa, para la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2024-6828", "lastModified": "2024-07-24T12:55:13.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2024-07-23T02:15:02.370", "references": [{"source": "security@wordfence.com", "url": "https://core.trac.wordpress.org/browser/tags/6.5.4/src/wp-includes/class-wp-theme-json.php#L1690"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-filesystem.php#L614"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-helpers.php#L938"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/extensions/color_scheme/color_scheme/class-redux-color-scheme-import.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/fields/typography/redux-typography.js#L646"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/redux-framework/trunk/redux-core/inc/classes/class-redux-filesystem.php#L166"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18a37063-31aa-4b1f-b1a5-1ea921a20686?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}