CVE-2021-24803

Published: Feb 28, 2022Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks

Affected (1)

Products: Core Tweaks Wp Setup Project: Core Tweaks Wp Setup

Core Tweaks Wp Setup Project

1 product

Core Tweaks Wp Setup

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Core Tweaks Wp Setup Project Core Tweaks Wp Setup	Up to 4.1

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://wpscan.com/vulnerability/97adac02-4163-48d4-ba14-0b1badfd3d42

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/97adac02-4163-48d4-ba14-0b1badfd3d42

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.