Word Press Plugin 3DPrint Lite Critical Vulnerability - 20240311003¶
Overview¶
The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
What is vulnerable?¶
| Product(s) Affected | Summary | Severity | CVSS |
|---|---|---|---|
| 3DPrint Lite WordPress plugin before 1.9.1.5 | CVE-2021-4436 | Critical | 9.8 |
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions (refer Patch Management):