CVE-2021-24191
Last modified
CVE-2021-24191 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.. EPSS estimates a 1.31% chance of exploitation in the next 30 days.
Description
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wpshopmart | Coming Soon Page \& Maintenance Mode | < 1.8.2 |
References
- https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90cExploit, Third Party Advisory
- https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90cExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-24191?
How severe is CVE-2021-24191?
How do I fix CVE-2021-24191?
Are you affected by CVE-2021-24191?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST