Arbitrary File Upload vulnerability

I think it is already fixed.
It should be the plugin “Access Demo Importer” and not the theme, see this link
https://security-tracker.debian.org/tracker/CVE-2021-39317

And version 1.07 is fixed some months ago.
The plugin is only installed if you import demo content.

peterha7,

I think it is already fixed.

No.

It should be the plugin “Access Demo Importer” and not the theme

Wrong. Arbitrary File Upload vulnerability is directly related to the theme.

Yep thanks @yoruoni it is the theme and not fixed. I don’t have that plugin installed @peterha7

Looks like the theme has been pulled from WordPress – I take it there will be no fix? Be grateful for an answer to clarify!

https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/

@yoruoni you are right.

@dynamek good information!
…if it is only plugin_offline_installer_callback function found in the welcome/welcome.php file it should help to place die(); at the beginning of this function and remove or comment out this line
add_action( 'wp_ajax_plugin_offline_installer', array( $this, 'plugin_offline_installer_callback' ) );

This disables the demo importer functionality.

• This reply was modified 3 years, 2 months ago by peterha7.

peterha7,

This disables the demo importer functionality.

It’s better not to use products of a dubious vendor I believe.

Speaks for itself that the vendor receives warnings about the presence of critical vulnerabilities and simply ignores this information for months, continuing to keep its customers at risk.