CVE-2021-24191

Published: May 14, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

Affected (1)

Products: Wpshopmart: Coming Soon Page & Maintenance Mode

1 product

Coming Soon Page & Maintenance Mode

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wpshopmart Coming Soon Page & Maintenance Mode	Before 1.8.2

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.