Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Blox Page Builder by unitecms

    CVE-2024-6315 (GCVE-0-2024-6315)

    Vulnerability from nvd – Published: 2024-08-06 01:49 – Updated: 2026-04-08 16:35
    VLAI
    Title
    Blox Page Builder <= 1.0.65 - Authenticated (Contributor+) Arbitrary File Upload
    Summary
    The Blox Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handleUploadFile' function in all versions up to, and including, 1.0.65. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    unitecms Blox Page Builder Affected: 0 , ≤ 1.0.65 (semver)
    Create a notification for this product.
    unitecms blox_page_builder Affected: 0 , ≤ 1.0.65 (custom)
        cpe:2.3:a:unitecms:blox_page_builder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:unitecms:blox_page_builder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "blox_page_builder",
                "vendor": "unitecms",
                "versions": [
                  {
                    "lessThanOrEqual": "1.0.65",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6315",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-06T19:25:32.280013Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-06T19:42:11.065Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Blox Page Builder",
              "vendor": "unitecms",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.65",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Blox Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the \u0027handleUploadFile\u0027 function in all versions up to, and including, 1.0.65. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:51.766Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe551db-2073-4eeb-83da-9ce8c2c031e1?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/blox-page-builder/trunk/inc_php/unitecreator_assets.class.php?rev=1866874#L979"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-06-25T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-06-25T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-08-05T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Blox Page Builder \u003c= 1.0.65 - Authenticated (Contributor+) Arbitrary File Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6315",
        "datePublished": "2024-08-06T01:49:57.531Z",
        "dateReserved": "2024-06-25T12:48:59.232Z",
        "dateUpdated": "2026-04-08T16:35:51.766Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6315 (GCVE-0-2024-6315)

    Vulnerability from cvelistv5 – Published: 2024-08-06 01:49 – Updated: 2026-04-08 16:35
    VLAI
    Title
    Blox Page Builder <= 1.0.65 - Authenticated (Contributor+) Arbitrary File Upload
    Summary
    The Blox Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handleUploadFile' function in all versions up to, and including, 1.0.65. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    unitecms Blox Page Builder Affected: 0 , ≤ 1.0.65 (semver)
    Create a notification for this product.
    unitecms blox_page_builder Affected: 0 , ≤ 1.0.65 (custom)
        cpe:2.3:a:unitecms:blox_page_builder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:unitecms:blox_page_builder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "blox_page_builder",
                "vendor": "unitecms",
                "versions": [
                  {
                    "lessThanOrEqual": "1.0.65",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6315",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-06T19:25:32.280013Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-06T19:42:11.065Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Blox Page Builder",
              "vendor": "unitecms",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.65",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Blox Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the \u0027handleUploadFile\u0027 function in all versions up to, and including, 1.0.65. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:51.766Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe551db-2073-4eeb-83da-9ce8c2c031e1?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/blox-page-builder/trunk/inc_php/unitecreator_assets.class.php?rev=1866874#L979"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-06-25T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-06-25T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-08-05T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Blox Page Builder \u003c= 1.0.65 - Authenticated (Contributor+) Arbitrary File Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6315",
        "datePublished": "2024-08-06T01:49:57.531Z",
        "dateReserved": "2024-06-25T12:48:59.232Z",
        "dateUpdated": "2026-04-08T16:35:51.766Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }