CVE-2021-39352: 
WordPress vulnerability analysis and mitigation

The Catch Themes Demo Import WordPress plugin (versions up to and including 1.7) contains a vulnerability identified as CVE-2021-39352. The vulnerability was discovered in the import functionality located in the ~/inc/CatchThemesDemoImport.php file, which lacks sufficient file type validation (NVD, WPScan).

The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434). It has received a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability specifically affects the import functionality in the plugin's core file CatchThemesDemoImport.php, where insufficient validation of uploaded file types creates a security weakness (NVD).

When exploited, this vulnerability allows an attacker with administrative privileges to upload malicious files to the server. These uploaded files can then be used to achieve remote code execution on the affected system, potentially compromising the entire WordPress installation (NVD, WPScan).

The vulnerability has been patched in version 1.8 of the Catch Themes Demo Import plugin. Site administrators are strongly advised to update to this version or later to protect against this vulnerability. If immediate updating is not possible, it is recommended to restrict access to the plugin's functionality to trusted administrators only (WPScan).