CVE-2021-24193

Published: May 14, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

Affected (1)

Products: Wp Buy: Visitor Traffic Real Time Statistics

1 product

Visitor Traffic Real Time Statistics

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wp Buy Visitor Traffic Real Time Statistics	Before 2.12

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c

Source: contact@wpscan.com

ExploitPatchThird Party Advisory

https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.