CVE-2021-24194

Published: May 14, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login Protection - Limit Failed Login Attempts WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.

Affected (1)

Products: Wp Buy: Login Protection Limit Failed Login Attempts

1 product

Login Protection Limit Failed Login Attempts

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wp Buy Login Protection Limit Failed Login Attempts	Before 2.9

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c

Source: contact@wpscan.com

ExploitPatchThird Party Advisory

https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.