CVE-2021-39352
7.2 HIGHThe Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/Cat...
Published: 2021-10-21 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.2 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-434
Affected products
| Vendor | Product |
|---|---|
| catchplugins | catch_themes_demo_import |
Description
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39352
- [Exploit reference]http://packetstormsecurity.com/files/165207/WordPress-Catch-Themes-Demo-Import-1.6.1-Shell-Upload.html
- [Other]http://packetstormsecurity.com/files/165463/WordPress-Catch-Themes-Demo-Import-Shell-Upload.html
- [Exploit reference]https://github.com/BigTiger2020/word-press/blob/main/Catch%20Themes%20Demo%20Import.md
- [Exploit reference]https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-39352
- [Patch]https://plugins.trac.wordpress.org/changeset/2617555/catch-themes-demo-import/trunk/inc/CatchThemesDemoImport.php
- [Exploit reference]https://www.exploit-db.com/exploits/50580
- [Other]https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39352
- [Exploit reference]http://packetstormsecurity.com/files/165207/WordPress-Catch-Themes-Demo-Import-1.6.1-Shell-Upload.html
- [Other]http://packetstormsecurity.com/files/165463/WordPress-Catch-Themes-Demo-Import-Shell-Upload.html
- [Exploit reference]https://github.com/BigTiger2020/word-press/blob/main/Catch%20Themes%20Demo%20Import.md
- [Exploit reference]https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-39352
- [Patch]https://plugins.trac.wordpress.org/changeset/2617555/catch-themes-demo-import/trunk/inc/CatchThemesDemoImport.php
- [Exploit reference]https://www.exploit-db.com/exploits/50580
- [Other]https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39352
Related CVEs
Same CWE
- CVE-2026-40750 — Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
- CVE-2026-6933 — The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and inclu... (8.8 HIGH)
- CVE-2026-40772 — Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions (10.0 CRITICAL)
- CVE-2026-39591 — Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions (9.9 CRITICAL)
- CVE-2026-39527 — Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions (5.4 MEDIUM)