Vulnerability Details : CVE-2021-24175
Potential exploit
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
Vulnerability category: BypassGain privilege
Products affected by CVE-2021-24175
- cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-24175
62.64%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-24175
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-24175
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- contact@wpscan.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2021-24175
-
https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/
Critical 0-day in The Plus Addons for Elementor Allows Site TakeoverThird Party Advisory
-
https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89
Attention Required! | CloudflareExploit;Third Party Advisory
-
https://posimyth.ticksy.com/ticket/2713734/
Nothing hereBroken Link
Jump to