CVE-2021-24175

nvd nist nuclei

Published: Apr 5, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.

Affected (1)

Products: Posimyth: The Plus Addons For Elementor

1 product

The Plus Addons For Elementor

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Posimyth The Plus Addons For Elementor	Before 4.1.7

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (6)

https://posimyth.ticksy.com/ticket/2713734/

Source: contact@wpscan.com

Broken Link

https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89

Source: contact@wpscan.com

ExploitThird Party Advisory

https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/

Source: contact@wpscan.com

Third Party Advisory

https://posimyth.ticksy.com/ticket/2713734/

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.