CVE-2021-24194
Last modified
CVE-2021-24194 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login Protection - Limit Failed Login Attempts WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.. EPSS estimates a 1.32% chance of exploitation in the next 30 days.
Description
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login Protection - Limit Failed Login Attempts WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wp-Buy | Login Protection - Limit Failed Login Attempts | < 2.9 |
References
- https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90cExploit, Patch, Third Party Advisory
- https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90cExploit, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-24194?
How severe is CVE-2021-24194?
How do I fix CVE-2021-24194?
Are you affected by CVE-2021-24194?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST