WordPress Plugin Vulnerabilities

Catch Themes Demo Import < 1.8 - Admin+ Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.

Affects Plugins

Plugin icon
catch-themes-demo-import
Fixed in 1.8

References

CVE
CVE-2021-39352
Exploitdb
50580
URL
https://packetstormsecurity.com/files/#165207/
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39352

Miscellaneous

Original Researcher
Thinkland Security Team
Verified
Yes
WPVDB ID
781f2ff4-cb94-40d7-96cb-90128daed862

Timeline

Publicly Published
2021-10-21 (about 4 years ago)
Added
2021-10-21 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2025-07-29
Title
Atarim < 4.2.2 - Unauthenticated Arbitrary File Upload
Published
2026-01-15
Title
All-in-One Video Gallery < 4.6.4 - Authenticated (Author+) Arbitrary File Upload via VTT Upload Bypass
Published
2025-11-25
Title
AI Feeds < 1.0.12 - Unauthenticated Arbitrary File Upload
Published
2024-11-08
Title
WooCommerce Support Ticket System < 17.8 - Unauthenticated Arbitrary File Upload
Published
2025-06-27
Title
File Manager Plugin For Wordpress <= 7.5 - Authenticated (Admin+) Arbitrary File Upload