CVE-2020-36701

The Page Builder: KingComposer plugin for WordPress is vulnerable to Arbitrary File Uploads in versions up to, and including, 2.9.3 via the 'process_bulk_action' function in the 'kingcomposer/includes/kc.extensions.php' file. This makes it possible for authenticated users with author level permissions and above to upload arbitrary files onto the server which can be used to execute code on the server.
Configurations

Configuration 1 (hide)

cpe:2.3:a:king-theme:page_builder_king_composer:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 05:30

Type Values Removed Values Added
References () https://blog.nintechnet.com/wordpress-kingcomposer-page-builder-fixed-multiple-critical-vulnerabilities/ - Exploit () https://blog.nintechnet.com/wordpress-kingcomposer-page-builder-fixed-multiple-critical-vulnerabilities/ - Exploit
References () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2320014%40kingcomposer&new=2320014%40kingcomposer&sfp_email=&sfph_mail= - Patch () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2320014%40kingcomposer&new=2320014%40kingcomposer&sfp_email=&sfph_mail= - Patch
References () https://wordpress.org/plugins/kingcomposer/#developers - Product () https://wordpress.org/plugins/kingcomposer/#developers - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/45a62dd0-386c-41b3-b8dd-ced443da9f92?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/45a62dd0-386c-41b3-b8dd-ced443da9f92?source=cve - Third Party Advisory

13 Jun 2023, 19:05

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
First Time King-theme
King-theme page Builder King Composer
References (MISC) https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2320014%40kingcomposer&new=2320014%40kingcomposer&sfp_email=&sfph_mail= - (MISC) https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2320014%40kingcomposer&new=2320014%40kingcomposer&sfp_email=&sfph_mail= - Patch
References (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/45a62dd0-386c-41b3-b8dd-ced443da9f92?source=cve - (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/45a62dd0-386c-41b3-b8dd-ced443da9f92?source=cve - Third Party Advisory
References (MISC) https://blog.nintechnet.com/wordpress-kingcomposer-page-builder-fixed-multiple-critical-vulnerabilities/ - (MISC) https://blog.nintechnet.com/wordpress-kingcomposer-page-builder-fixed-multiple-critical-vulnerabilities/ - Exploit
References (MISC) https://wordpress.org/plugins/kingcomposer/#developers - (MISC) https://wordpress.org/plugins/kingcomposer/#developers - Product
CWE CWE-434
CPE cpe:2.3:a:king-theme:page_builder_king_composer:*:*:*:*:*:wordpress:*:*

07 Jun 2023, 02:45

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-07 02:15

Updated : 2024-11-21 05:30


NVD link : CVE-2020-36701

Mitre link : CVE-2020-36701

CVE.ORG link : CVE-2020-36701


JSON object : View

Products Affected

king-theme

  • page_builder_king_composer
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type